Qubes OS 45 Published by

A security update for the policy.RegisterArgument service is available for Qubes OS 4.2 systems.

QSB-099: Qrexec policy leak via policy.RegisterArgument service

We have published Qubes Security Bulletin 099: Qrexec policy leak via policy.RegisterArgument service. The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.
Qubes Security Bulletin 099

---===[ Qubes Security Bulletin 099 ]===---


Qrexec policy leak via policy.RegisterArgument service

User action

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.


The policy.RegisterArgument service prints the whole qrexec policy due
to a leftover debug message.


A qube that is given permission to call the policy.RegisterArgument
service can learn the whole qrexec policy. The default qrexec policy
does not contain any secrets, but users can customize it to include qube
names, tag names, custom service names, and service arguments (like key
handles for the U2F/CTAP proxy).

Affected systems

Only Qubes OS 4.2 systems in which at least one qube is allowed to use
the policy.RegisterArgument service are affected. In the default
configuration, no qube is allowed to use this service, but users who use
the U2F/CTAP proxy may enable sys-usb to use it, e.g., with the Qubes
Global Config tool's "Enable registering new keys with the U2F Proxy
service" option.

Qubes OS 4.1 is not affected.


The following packages contain security updates that address the
vulnerabilities described in this bulletin:

For Qubes 4.2, in dom0:
- qubes-core-qrexec-dom0 version 4.2.17

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]


The issue was discovered by Ben Grande.


[1] https://www.qubes-os.org/doc/how-to-update/ 
[2] https://www.qubes-os.org/doc/testing/ 

The Qubes Security Team

  QSB-099: Qrexec policy leak via policy.RegisterArgument service