---===[ Qubes Security Bulletin 092 ]===--- 2023-08-08 Buffer overrun in Linux netback driver (XSA-432) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.1, in dom0: - Linux kernel packages (kernel*-qubes-vm), versions 6.1.43, 6.4.8, 5.15.124 For Qubes 4.2, in dom0: - Linux kernel packages (kernel*-qubes-vm), versions 6.1.43, 6.4.8 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Service qubes that provide network access (such as sys-net, sys-firewall, sys-whonix, and VPN qubes) must be restarted afterward in order for the updates to take effect. By default, all qubes use a kernel provided by dom0. However, advanced users may opt to modify a given qube so that it uses an in-qube kernel instead.  In such cases, the fixes contained in the kernel packages listed above will not apply. Instead, any fix would have to come from the upstream organization responsible for the distribution running in that qube. If and when the relevant upstream organization makes such a fix available, a normal update  should be sufficient to apply it. The Qubes security team has no control over this process, as it concerns the operations of independent organizations. Those who use in-qube kernels may wish to consider temporarily switching to a dom0-provided kernel. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Linux binaries. Summary -------- On 2023-08-08, the Xen Project published XSA-432, "Linux: buffer overrun in netback due to unusual packet" : | The fix for XSA-423 added logic to Linux'es netback driver to deal | with a frontend splitting a packet in a way such that not all of the | headers would come in one piece. Unfortunately the logic introduced | there didn't account for the extreme case of the entire packet being | split into as many pieces as permitted by the protocol, yet still | being smaller than the area that's specially dealt with to keep all | (possible) headers together. Such an unusual packet would therefore | trigger a buffer overrun in the driver. | | An unprivileged guest can cause Denial of Service (DoS) of the host by | sending network packets to the backend, causing the backend to crash. | | Data corruption or privilege escalation seem unlikely but have not | been ruled out. Impact ------- An attacker who manages to compromise a network-connected qube could attempt to exploit the vulnerability described in this bulletin in order to attack the service qube (such as sys-net, sys-firewall, sys-whonix, or a VPN qube) that provides network access to the compromised qube. The Qubes security team believes that such an attack is unlikely to succeed and that this vulnerability is not likely to be exploitable beyond causing a crash. However, if such an attack were successful, it would allow the attacker to execute arbitrary code in the service qube, potentially bypassing the restrictions that such service qubes normally impose. For example: - An attacker in control of sys-firewall could bypass the firewall rules that sys-firewall normally enforces for the qubes connected to it. - An attacker in control of sys-whonix could bypass Tor, emit clearnet traffic, and learn the machine's real public IP address. - An attacker in control of a VPN qube could observe and modify the network traffic of other qubes that are connected to it -- traffic that the VPN would normally protect. - An attacker in control of sys-net could gain direct access to attached PCIe devices. Credits -------- See the original Xen Security Advisory. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://www.qubes-os.org/doc/managing-vm-kernels/  https://xenbits.xen.org/xsa/advisory-432.html -- The Qubes Security Team https://www.qubes-os.org/security/
A Linux netback driver security update has been released for Qubes OS.