QSB #056: Insufficient anti-spoofing firewall rules
https://www.qubes-os.org/news/2019/12/25/qsb-056/
We have just published Qubes Security Bulletin (QSB) #056:
Insufficient anti-spoofing firewall rules.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB #056 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-056-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
---===[ Qubes Security Bulletin #56]===---
2019-12-25
Insufficient anti-spoofing firewall rules
Summary
=======
The firewall configuration in Qubes OS prevents IP address spoofing in
downstream interfaces (e.g., network-providing qubes, network-consuming
qubes, and `vif*` interfaces). However, it does not prevent IP spoofing
in upstream interfaces (normally `eth0`, but in the case of VPNs or
other configuration, there may also be others).
Impact
======
Configurations with inter-VM networking allowed [1] or additional
interfaces created (e.g., VPNs) are vulnerable to IP spoofing. Combined
with other vulnerabilities, such as the procedure described in the
CVE-2019-14899 report [2], this could allow an upstream qube (e.g.,
sys-net) to inject data into an established connection.
Discussion
==========
The anti-spoofing firewall rules in a network-providing qube look like
this:
*raw
...
-A PREROUTING ! -s 10.137.0.5/32 -i vif12.0 -j DROP
-A PREROUTING ! -s 10.137.0.6/32 -i vif17.0 -j DROP
-A PREROUTING ! -s 10.137.0.7/32 -i vif18.0 -j DROP
-A PREROUTING ! -s 10.137.0.8/32 -i vif21.0 -j DROP
COMMIT
Each `vif*` interface drops packets if its source IP does not match the
one assigned to the qube behind that interface. However, it does not
ensure that the source IP does not appear on any other (non-`vif`)
interface.
The other property could, in theory, be achieved by this FORWARD chain:
*filter
...
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -j DROP
COMMIT
These rules should reject packets not belonging to established
connections on non-vif interfaces. Moreover, without seeing other
packets in the connection, it should be prohibitively difficult to forge
packets that would be considered to be part of an established
connection. However, methods like the one described in the
CVE-2019-14899 report [2] allow one to guess the required parameters.
Note that if a connection normally goes through a given qube (without
any further protection like TLS), that qube can always manipulate the
traffic without guessing anything.
The default Qubes configuration is secure, since network traffic either
goes directly to the upstream qube (which, by definition, has access to
that traffic), or it is an inter-VM connection attempt, which is
prevented by the third rule (meaning that there are no connections in
the conntrack table that the upstream qube could try to hijack).
However, once the user departs from the default configuration, e.g., by
introducing inter-VM communications [1] (allowing traffic between some
`vif*` interfaces), or VPN-like interfaces, the default rules are no
longer sufficient, since an upstream qube can inject packets (by
spoofing the source IP) into connections that normally do not pass
through it in the clear.
Our solution to this problem is twofold:
1. For Qubes OS 4.0, whenever a running qube is connected to a
network-providing qube, an additional firewall rule is added that
blocks the running qube's IP as a source on other network interfaces.
2. For Qubes OS 4.1 and later, we will modify the firewall mechanism so
https://www.qubes-os.org/news/2019/12/25/qsb-056/
We have just published Qubes Security Bulletin (QSB) #056:
Insufficient anti-spoofing firewall rules.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB #056 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-056-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
---===[ Qubes Security Bulletin #56]===---
2019-12-25
Insufficient anti-spoofing firewall rules
Summary
=======
The firewall configuration in Qubes OS prevents IP address spoofing in
downstream interfaces (e.g., network-providing qubes, network-consuming
qubes, and `vif*` interfaces). However, it does not prevent IP spoofing
in upstream interfaces (normally `eth0`, but in the case of VPNs or
other configuration, there may also be others).
Impact
======
Configurations with inter-VM networking allowed [1] or additional
interfaces created (e.g., VPNs) are vulnerable to IP spoofing. Combined
with other vulnerabilities, such as the procedure described in the
CVE-2019-14899 report [2], this could allow an upstream qube (e.g.,
sys-net) to inject data into an established connection.
Discussion
==========
The anti-spoofing firewall rules in a network-providing qube look like
this:
*raw
...
-A PREROUTING ! -s 10.137.0.5/32 -i vif12.0 -j DROP
-A PREROUTING ! -s 10.137.0.6/32 -i vif17.0 -j DROP
-A PREROUTING ! -s 10.137.0.7/32 -i vif18.0 -j DROP
-A PREROUTING ! -s 10.137.0.8/32 -i vif21.0 -j DROP
COMMIT
Each `vif*` interface drops packets if its source IP does not match the
one assigned to the qube behind that interface. However, it does not
ensure that the source IP does not appear on any other (non-`vif`)
interface.
The other property could, in theory, be achieved by this FORWARD chain:
*filter
...
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -j DROP
COMMIT
These rules should reject packets not belonging to established
connections on non-vif interfaces. Moreover, without seeing other
packets in the connection, it should be prohibitively difficult to forge
packets that would be considered to be part of an established
connection. However, methods like the one described in the
CVE-2019-14899 report [2] allow one to guess the required parameters.
Note that if a connection normally goes through a given qube (without
any further protection like TLS), that qube can always manipulate the
traffic without guessing anything.
The default Qubes configuration is secure, since network traffic either
goes directly to the upstream qube (which, by definition, has access to
that traffic), or it is an inter-VM connection attempt, which is
prevented by the third rule (meaning that there are no connections in
the conntrack table that the upstream qube could try to hijack).
However, once the user departs from the default configuration, e.g., by
introducing inter-VM communications [1] (allowing traffic between some
`vif*` interfaces), or VPN-like interfaces, the default rules are no
longer sufficient, since an upstream qube can inject packets (by
spoofing the source IP) into connections that normally do not pass
through it in the clear.
Our solution to this problem is twofold:
1. For Qubes OS 4.0, whenever a running qube is connected to a
network-providing qube, an additional firewall rule is added that
blocks the running qube's IP as a source on other network interfaces.
2. For Qubes OS 4.1 and later, we will modify the firewall mechanism so
that it maintains aa list of connected qubes and their addresses,
even when they are not running. All such addresses will be rejected
on upstream network interfaces.
The main difference between these two solutions is that fix for Qubes OS
4.0 does not protect against spoofing the addresses of qubes that are
not running. However, since 4.0 is a stable release, we must consider
the impact of such a solution on the stability of this release. This fix
is a much simpler change that carries a considerably lower risk of
introducing a regression.
Patching
========
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes OS 4.0:
- qubes-core-agent version 4.0.51
The packages for domUs are to be installed in TemplateVMs and
StandaloneVMs via the Qube Manager or via their respective package
managers:
For updates to Fedora from the stable repository
(not immediately available):
$ sudo dnf update
For updates to Fedora from the security-testing repository:
$ sudo dnf update --enablerepo=qubes-vm-*-security-testing
For updates to Debian from the stable repository
(not immediately available):
$ sudo apt update && sudo apt dist-upgrade
For updates to Debian from the security-testing repository:
First, uncomment the line below "Qubes security updates testing
repository" in:
/etc/apt/sources.list.d/qubes-r*.list
Then:
$ sudo apt update && sudo apt dist-upgrade
A restart is required for these changes to take effect. This entails
shutting down the TemplateVM before restarting all the TemplateBasedVMs
based on that TemplateVM.
These packages will migrate from the security-testing repositories to
their respective current (stable) repositories over the next two weeks
after being tested by the community.
Credits
========
The issue was reported by Demi Marie Obenour.
References
==========
[1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-14899
--
The Qubes Security Team
https://www.qubes-os.org/security/
even when they are not running. All such addresses will be rejected
on upstream network interfaces.
The main difference between these two solutions is that fix for Qubes OS
4.0 does not protect against spoofing the addresses of qubes that are
not running. However, since 4.0 is a stable release, we must consider
the impact of such a solution on the stability of this release. This fix
is a much simpler change that carries a considerably lower risk of
introducing a regression.
Patching
========
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes OS 4.0:
- qubes-core-agent version 4.0.51
The packages for domUs are to be installed in TemplateVMs and
StandaloneVMs via the Qube Manager or via their respective package
managers:
For updates to Fedora from the stable repository
(not immediately available):
$ sudo dnf update
For updates to Fedora from the security-testing repository:
$ sudo dnf update --enablerepo=qubes-vm-*-security-testing
For updates to Debian from the stable repository
(not immediately available):
$ sudo apt update && sudo apt dist-upgrade
For updates to Debian from the security-testing repository:
First, uncomment the line below "Qubes security updates testing
repository" in:
/etc/apt/sources.list.d/qubes-r*.list
Then:
$ sudo apt update && sudo apt dist-upgrade
A restart is required for these changes to take effect. This entails
shutting down the TemplateVM before restarting all the TemplateBasedVMs
based on that TemplateVM.
These packages will migrate from the security-testing repositories to
their respective current (stable) repositories over the next two weeks
after being tested by the community.
Credits
========
The issue was reported by Demi Marie Obenour.
References
==========
[1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-14899
--
The Qubes Security Team
https://www.qubes-os.org/security/
Qubes OS 4.0.2 has been released!
https://www.qubes-os.org/news/2020/01/02/qubes-4-0-2/
We’re pleased to announce the release of Qubes 4.0.2! This is the second
stable point release of Qubes 4.0. It includes many updates over the
initial 4.0 release, in particular:
All 4.0 dom0 updates to date
Fedora 30 TemplateVM
Debian 10 TemplateVM
Whonix 15 Gateway and Workstation TemplateVMs
Linux kernel 4.19 by default
Qubes 4.0.2 is available on the Downloads (https://www.qubes-os.org/downloads/) page.
What is a point release?
A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.2.
What should I do?
If you installed Qubes 4.0 or 4.0.1 and have fully updated (https://www.qubes-os.org/doc/updating-qubes-os/), then
your system is already equivalent to a Qubes 4.0.2 installation. No
further action is required.
Similarly, if you’re currently using a Qubes 4.0.2 release candidate
(4.0.2-rc1, 4.0.2-rc2, or 4.0.2-rc3), and your system is fully
updated (https://www.qubes-os.org/doc/updating-qubes-os/), then your system is equivalent to a 4.0.2 stable installation,
and no additional action is needed.
Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.2 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date.
Note: At 4.5 GiB, the Qubes 4.0.2 ISO will not fit on a
single-layer DVD (for the technical details underlying this, please see
issue #5367 (https://github.com/QubesOS/qubes-issues/issues/5367)). Instead, we recommend copying the ISO onto a
sufficiently large USB drive (https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium). However, if you would prefer to
use optical media, we suggest selecting a dual-layer DVD or Blu-ray disc.
Thank you to all the release candidate users for testing this release
and reporting issues (https://www.qubes-os.org/doc/reporting-bugs/)!
https://www.qubes-os.org/news/2020/01/02/qubes-4-0-2/
We’re pleased to announce the release of Qubes 4.0.2! This is the second
stable point release of Qubes 4.0. It includes many updates over the
initial 4.0 release, in particular:
All 4.0 dom0 updates to date
Fedora 30 TemplateVM
Debian 10 TemplateVM
Whonix 15 Gateway and Workstation TemplateVMs
Linux kernel 4.19 by default
Qubes 4.0.2 is available on the Downloads (https://www.qubes-os.org/downloads/) page.
What is a point release?
A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.2.
What should I do?
If you installed Qubes 4.0 or 4.0.1 and have fully updated (https://www.qubes-os.org/doc/updating-qubes-os/), then
your system is already equivalent to a Qubes 4.0.2 installation. No
further action is required.
Similarly, if you’re currently using a Qubes 4.0.2 release candidate
(4.0.2-rc1, 4.0.2-rc2, or 4.0.2-rc3), and your system is fully
updated (https://www.qubes-os.org/doc/updating-qubes-os/), then your system is equivalent to a 4.0.2 stable installation,
and no additional action is needed.
Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.2 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date.
Note: At 4.5 GiB, the Qubes 4.0.2 ISO will not fit on a
single-layer DVD (for the technical details underlying this, please see
issue #5367 (https://github.com/QubesOS/qubes-issues/issues/5367)). Instead, we recommend copying the ISO onto a
sufficiently large USB drive (https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium). However, if you would prefer to
use optical media, we suggest selecting a dual-layer DVD or Blu-ray disc.
Thank you to all the release candidate users for testing this release
and reporting issues (https://www.qubes-os.org/doc/reporting-bugs/)!
Xen Project 4.12.2 is available!
https://xenproject.org/2020/01/03/xen-project-4-12-2-is-available/
I am pleased to announce the release of the Xen 4.12.2. Xen Project maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of...
https://xenproject.org/2020/01/03/xen-project-4-12-2-is-available/
I am pleased to announce the release of the Xen 4.12.2. Xen Project maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of...
The Xen Project: A decade of innovation and looking forward to 2020 and beyond
https://xenproject.org/2020/01/07/the-xen-project-a-decade-of-innovation-and-looking-forward-to-2020-and-beyond/
As we enter a new decade, it is worthwhile to look back at the last year and decade to glance into the crystal ball for what 2020 and beyond may...
https://xenproject.org/2020/01/07/the-xen-project-a-decade-of-innovation-and-looking-forward-to-2020-and-beyond/
As we enter a new decade, it is worthwhile to look back at the last year and decade to glance into the crystal ball for what 2020 and beyond may...
Qubes Canary #22
https://www.qubes-os.org/news/2020/01/15/canary-22/
We have published Qubes Canary #22. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).
View Qubes Canary #22 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-022-2020.txt
Learn about the qubes-secpack, including how to obtain, verify, and read
it:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canaries/
---===[ Qubes Canary #22 ]===---
Statements
-----------
The Qubes core developers who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is January 13, 2020.
2. There have been 56 Qubes Security Bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
two weeks of April 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.
Special announcements
----------------------
None.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
-------------------
Mon, 13 Jan 2020 11:12:28 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
The U.S. Versus Iran: A Dangerous New Era in the Middle East
Germany Plans to Repatriate Ebola Patients
Can Nuclear Power Offer a Way Out of the Climate Crisis?
Killing of Iran General Soleimani Akin to War Declaration
Dissendent Describes 'Cultural Genocide' Against Uighurs
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Seven Days in January: How Trump Pushed U.S. and Iran to the Brink of War
Desperate Residents Ignore Dangers of Philippine Volcano and Return Home
A New Home for French Socialists, on Paris’s Periphery
A Growing U.S. Base Made This Afghan Town. Now It’s Dying.
Iran Cracks Down as Protests Over Downing of Airliner Grow
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Taal volcano: Lava spews as 'hazardous eruption' feared
Iran plane downing: Canadian PM promises 'justice' at memorial
Hevrin Khalaf: Death of a peacemaker
Retired Pope Benedict warns Francis against relaxing priestly celibacy rules
Egypt-Ethiopia row: The trouble over a giant Nile dam
Source: Reuters: World News (http://feeds.reuters.com/reuters/worldnews)
'Oust Uncle': Thailand's jog for dissent signals new breed of activists
Britain's royal showdown: queen hosts Meghan-Harry crisis talks
https://www.qubes-os.org/news/2020/01/15/canary-22/
We have published Qubes Canary #22. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).
View Qubes Canary #22 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-022-2020.txt
Learn about the qubes-secpack, including how to obtain, verify, and read
it:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canaries/
---===[ Qubes Canary #22 ]===---
Statements
-----------
The Qubes core developers who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is January 13, 2020.
2. There have been 56 Qubes Security Bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
two weeks of April 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.
Special announcements
----------------------
None.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
-------------------
Mon, 13 Jan 2020 11:12:28 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
The U.S. Versus Iran: A Dangerous New Era in the Middle East
Germany Plans to Repatriate Ebola Patients
Can Nuclear Power Offer a Way Out of the Climate Crisis?
Killing of Iran General Soleimani Akin to War Declaration
Dissendent Describes 'Cultural Genocide' Against Uighurs
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Seven Days in January: How Trump Pushed U.S. and Iran to the Brink of War
Desperate Residents Ignore Dangers of Philippine Volcano and Return Home
A New Home for French Socialists, on Paris’s Periphery
A Growing U.S. Base Made This Afghan Town. Now It’s Dying.
Iran Cracks Down as Protests Over Downing of Airliner Grow
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Taal volcano: Lava spews as 'hazardous eruption' feared
Iran plane downing: Canadian PM promises 'justice' at memorial
Hevrin Khalaf: Death of a peacemaker
Retired Pope Benedict warns Francis against relaxing priestly celibacy rules
Egypt-Ethiopia row: The trouble over a giant Nile dam
Source: Reuters: World News (http://feeds.reuters.com/reuters/worldnews)
'Oust Uncle': Thailand's jog for dissent signals new breed of activists
Britain's royal showdown: queen hosts Meghan-Harry crisis talks
Iran protesters take to the streets in third day of demos over plane
Australian prime minister's approval rating goes up in flames
Thai elephants march in silence for Australian bushfires
Source: Blockchain.info
0000000000000000000444803ca23cffb65ea59fb0afef4065b2ea897a03e120
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
Australian prime minister's approval rating goes up in flames
Thai elephants march in silence for Australian bushfires
Source: Blockchain.info
0000000000000000000444803ca23cffb65ea59fb0afef4065b2ea897a03e120
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
Xen Project Design and Developer Summit: Registration and CFP Open Now!
https://xenproject.org/2020/01/17/xen-project-design-and-developer-summit-registration-and-cfp-open-now/
Starting today, registration and Call for Proposals officially opens for the Xen Project Developer & Design Summit. This year’s Summit, taking place from June 2nd through the 4th at the...
https://xenproject.org/2020/01/17/xen-project-design-and-developer-summit-registration-and-cfp-open-now/
Starting today, registration and Call for Proposals officially opens for the Xen Project Developer & Design Summit. This year’s Summit, taking place from June 2nd through the 4th at the...
Qubes OS 4.0.3 has been released!
https://www.qubes-os.org/news/2020/01/23/qubes-4-0-3/
We’re pleased to announce the release of Qubes 4.0.3! This is the third
stable point release of Qubes 4.0. While it includes only minimal
changes over 4.0.3-rc1 and 4.0.2, it includes many updates over the
initial 4.0 release, in particular:
All 4.0 dom0 updates to date
Fedora 30 TemplateVM
Debian 10 TemplateVM
Whonix 15 Gateway and Workstation TemplateVMs
Linux kernel 4.19 by default
Qubes 4.0.3 is available on the Downloads (https://www.qubes-os.org/downloads/) page.
What is a point release?
A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.3.
What should I do?
If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3-rc1 and have fully
updated (https://www.qubes-os.org/doc/updating-qubes-os/), then your system is already equivalent to a Qubes 4.0.3
installation. No further action is required.
Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.3 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date.
Note: The Qubes 4.0.3 ISO will not fit on a single-layer DVD (for
the technical details underlying this, please see issue #5367 (https://github.com/QubesOS/qubes-issues/issues/5367)).
Instead, we recommend copying the ISO onto a sufficiently large USB
drive (https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium). However, if you would prefer to use optical media, we
suggest selecting a dual-layer DVD or Blu-ray disc.
Thank you to all the release candidate users for testing this release
and reporting issues (https://www.qubes-os.org/doc/reporting-bugs/)!
https://www.qubes-os.org/news/2020/01/23/qubes-4-0-3/
We’re pleased to announce the release of Qubes 4.0.3! This is the third
stable point release of Qubes 4.0. While it includes only minimal
changes over 4.0.3-rc1 and 4.0.2, it includes many updates over the
initial 4.0 release, in particular:
All 4.0 dom0 updates to date
Fedora 30 TemplateVM
Debian 10 TemplateVM
Whonix 15 Gateway and Workstation TemplateVMs
Linux kernel 4.19 by default
Qubes 4.0.3 is available on the Downloads (https://www.qubes-os.org/downloads/) page.
What is a point release?
A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.3.
What should I do?
If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3-rc1 and have fully
updated (https://www.qubes-os.org/doc/updating-qubes-os/), then your system is already equivalent to a Qubes 4.0.3
installation. No further action is required.
Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.3 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date.
Note: The Qubes 4.0.3 ISO will not fit on a single-layer DVD (for
the technical details underlying this, please see issue #5367 (https://github.com/QubesOS/qubes-issues/issues/5367)).
Instead, we recommend copying the ISO onto a sufficiently large USB
drive (https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium). However, if you would prefer to use optical media, we
suggest selecting a dual-layer DVD or Blu-ray disc.
Thank you to all the release candidate users for testing this release
and reporting issues (https://www.qubes-os.org/doc/reporting-bugs/)!
XCP-ng Joins the Xen Project as an Incubation Project
https://xenproject.org/2020/01/28/xcp-ng-joins-the-xen-project-as-an-incubation-project/
Today, the Xen Project is happy to welcome XCP-ng as an incubation project. XCP-ng is a fully open-source virtualization platform and is a result of the massive cooperation between individuals...
https://xenproject.org/2020/01/28/xcp-ng-joins-the-xen-project-as-an-incubation-project/
Today, the Xen Project is happy to welcome XCP-ng as an incubation project. XCP-ng is a fully open-source virtualization platform and is a result of the massive cooperation between individuals...
Saying Goodbye to Lars Kurth: Open Source Advocate and Friend
https://xenproject.org/2020/01/31/saying-goodbye-to-lars-kurth-open-source-advocate-and-friend/
It is with a heavy heart that the Xen Project community says goodbye to Advisory Board Chair, Lars Kurth. Lars passed away earlier this week, leaving a hole in our...
https://xenproject.org/2020/01/31/saying-goodbye-to-lars-kurth-open-source-advocate-and-friend/
It is with a heavy heart that the Xen Project community says goodbye to Advisory Board Chair, Lars Kurth. Lars passed away earlier this week, leaving a hole in our...
Services for Lars Kurth
https://xenproject.org/2020/02/04/services-for-lars-kurth/
A funeral for Lars Kurth will be held on Friday, 7 February, at 11:45 am. Everyone is welcome to attend. Location and further information here: http://larskurth.muchloved.com
https://xenproject.org/2020/02/04/services-for-lars-kurth/
A funeral for Lars Kurth will be held on Friday, 7 February, at 11:45 am. Everyone is welcome to attend. Location and further information here: http://larskurth.muchloved.com
Xen Project is Participating in May 2020 to August 2020 Outreachy Internships Round
https://xenproject.org/2020/02/20/xen-project-is-participating-in-may-2020-to-august-2020-outreachy-internships-round/
The Xen Project is excited to be participating in the Outreachy internship program which supports diversity in free and open source software. The Xen Project’s participation in this round is...
https://xenproject.org/2020/02/20/xen-project-is-participating-in-may-2020-to-august-2020-outreachy-internships-round/
The Xen Project is excited to be participating in the Outreachy internship program which supports diversity in free and open source software. The Xen Project’s participation in this round is...
Unikraft: Building Powerful Unikernels Has Never Been Easier!
https://xenproject.org/2020/02/21/xen-project-is-participating-in-may-2020-to-august-2020-outreachy-internships-round-2/
Two years ago, the Xen Project introduced Unikraft (http://unikraft.org) as an incubation project. Over the past two years, the Unikraft project has seen some great momentum. Since the last release,...
https://xenproject.org/2020/02/21/xen-project-is-participating-in-may-2020-to-august-2020-outreachy-internships-round-2/
Two years ago, the Xen Project introduced Unikraft (http://unikraft.org) as an incubation project. Over the past two years, the Unikraft project has seen some great momentum. Since the last release,...
NitroPad X230 passes hardware certification for Qubes 4.0!
https://www.qubes-os.org/news/2020/03/04/nitropad-x230-qubes-certification/
It is our pleasure to announce that the NitroPad X230 (https://shop.nitrokey.com/shop/product/nitropad-x230-67) has become the
second Qubes-certified Laptop (https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230) for Qubes 4.0! This makes
Nitrokey (https://www.nitrokey.com/) the first vendor in Europe to have a product pass Qubes
hardware certification.
What is Qubes Certified Hardware?
Qubes Certified Hardware (https://www.qubes-os.org/doc/certified-hardware/) is hardware that has been certified by the
Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0,
in order to achieve certification, the hardware must satisfy a rigorous
set of requirements (https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements), and the vendor must commit to offering customers
the very same configuration (same motherboard, same screen, same BIOS
version, same Wi-Fi module, etc.) for at least one year.
Qubes-certified Laptops (https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230), in particular, are regularly tested
by the Qubes developers to ensure compatibility with all of Qubes’
features. The developers test all new major versions and updates to
ensure that no regressions are introduced.
It is important to note, however, that Qubes Hardware Certification
certifies only that a particular hardware configuration is supported
by Qubes. The Qubes OS Project takes no responsibility for any
manufacturing or shipping processes, nor can we control whether physical
hardware is modified (whether maliciously or otherwise) en route to
the user. (However, see below for information about how the Insurgo team
mitigates this risk.)
About the NitroPad X230
https://www.qubes-os.org/news/2020/03/04/nitropad-x230-qubes-certification/
It is our pleasure to announce that the NitroPad X230 (https://shop.nitrokey.com/shop/product/nitropad-x230-67) has become the
second Qubes-certified Laptop (https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230) for Qubes 4.0! This makes
Nitrokey (https://www.nitrokey.com/) the first vendor in Europe to have a product pass Qubes
hardware certification.
What is Qubes Certified Hardware?
Qubes Certified Hardware (https://www.qubes-os.org/doc/certified-hardware/) is hardware that has been certified by the
Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0,
in order to achieve certification, the hardware must satisfy a rigorous
set of requirements (https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements), and the vendor must commit to offering customers
the very same configuration (same motherboard, same screen, same BIOS
version, same Wi-Fi module, etc.) for at least one year.
Qubes-certified Laptops (https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230), in particular, are regularly tested
by the Qubes developers to ensure compatibility with all of Qubes’
features. The developers test all new major versions and updates to
ensure that no regressions are introduced.
It is important to note, however, that Qubes Hardware Certification
certifies only that a particular hardware configuration is supported
by Qubes. The Qubes OS Project takes no responsibility for any
manufacturing or shipping processes, nor can we control whether physical
hardware is modified (whether maliciously or otherwise) en route to
the user. (However, see below for information about how the Insurgo team
mitigates this risk.)
About the NitroPad X230
The NitroPad X230 (https://shop.nitrokey.com/shop/product/nitropad-x230-67) offers users unprecedented control over the security
of their hardware. Key features include:
Tamper detection through measured boot with Coreboot (https://www.coreboot.org/), Heads (https://github.com/osresearch/heads/), and
Nitrokey USB hardware, including support for Anti Evil Maid (AEM) (https://www.qubes-os.org/doc/anti-evil-maid/).
Deactivated Intel Management Engine (https://libreboot.org/faq.html#intelme)
User-replaceable cryptogrpahic keys
Included Nitrokey USB key
Professional ThinkPad hardware based on the ThinkPad X230 (https://www.thinkwiki.org/wiki/Category:X230).
Security-conscious shipping to mitigate against third-party
interdiction (https://en.wikipedia.org/wiki/Interdiction).
For further details, please see the original NitroPad announcement (https://www.nitrokey.com/news/2020/nitropad-secure-laptop-unique-tamper-detection).
How to get one
Please see the NitroPad X230 (https://shop.nitrokey.com/shop/product/nitropad-x230-67) on the Nitrokey website (https://www.nitrokey.com/) for
more information.
of their hardware. Key features include:
Tamper detection through measured boot with Coreboot (https://www.coreboot.org/), Heads (https://github.com/osresearch/heads/), and
Nitrokey USB hardware, including support for Anti Evil Maid (AEM) (https://www.qubes-os.org/doc/anti-evil-maid/).
Deactivated Intel Management Engine (https://libreboot.org/faq.html#intelme)
User-replaceable cryptogrpahic keys
Included Nitrokey USB key
Professional ThinkPad hardware based on the ThinkPad X230 (https://www.thinkwiki.org/wiki/Category:X230).
Security-conscious shipping to mitigate against third-party
interdiction (https://en.wikipedia.org/wiki/Interdiction).
For further details, please see the original NitroPad announcement (https://www.nitrokey.com/news/2020/nitropad-secure-laptop-unique-tamper-detection).
How to get one
Please see the NitroPad X230 (https://shop.nitrokey.com/shop/product/nitropad-x230-67) on the Nitrokey website (https://www.nitrokey.com/) for
more information.
XSA-315 does not affect the security of Qubes OS
https://www.qubes-os.org/news/2020/03/12/xsa-315-qubes-not-affected/
The Xen Project has published Xen Security Advisory 315 (XSA-315).
This XSA does not affect the security of Qubes OS, and no user
action is necessary.
This XSA has been added to the XSA Tracker (https://www.qubes-os.org/security/xsa/):
https://www.qubes-os.org/security/xsa/#315
https://www.qubes-os.org/news/2020/03/12/xsa-315-qubes-not-affected/
The Xen Project has published Xen Security Advisory 315 (XSA-315).
This XSA does not affect the security of Qubes OS, and no user
action is necessary.
This XSA has been added to the XSA Tracker (https://www.qubes-os.org/security/xsa/):
https://www.qubes-os.org/security/xsa/#315
One of the Big Things coming soon, in Qubes 4.1, is the first public version of the GUI domain: the next step in decoupling the graphical hardware, the display and management, and the host system. Very briefly, the GUI domain is a qube separate from dom0 that handles all the display-related tasks and some system management.
Why make a GUI domain at all?
One of the biggest security concerns at the moment for Qubes is how much power is in dom0. Once a person has access to it, they can do anything: and while we separate it quite effectively from what is running inside application qubes, dom0 is still a big, bloated and complex domain that performs many disparate functions. It handles managing other domains, display and graphical interfaces, multiple devices (including audio devices), memory and disk management, and so on.
We mitigate many of the GUI-related risks (like the powers wielded by the window manager, or the fact that huge, complex libraries such as Qt/Gtk are always an increased attack surface) through compartmentalization: Applications in VMs can’t talk to GUI toolkits in dom0 other than through a very limited Qubes-GUI protocol, and GUI toolkits in application VMs can’t talk directly to dom0’s X server. Moreover, dom0 is responsible for drawing the colored window borders the represent trust levels, so compromised VMs can’t spoof them.
Nonetheless, having a GUI in dom0 at all is, at best, a source of many dangerous temptations. It’s far too easy to use it to access untrusted (and thus potentially dangerous data), for example by mounting a disk from a qube into dom0. Even browsing relaxing landscapes as desktop wallpapers can expose dom0 to numerous vulnerabilities that intermittently appear in image-processing libraries.
Furthermore, while in theory dom0 is isolated from the outside world, some graphical devices (e.g. displays connected via HDMI or DVI) offer two-way communication, which threatens this isolation and makes it harder to maintain. If a malicious device (rather than the user’s trusted monitor) were to be connected to one of these ports, it could inject data that could be processed inside of dom0. As long as graphical devices are in dom0, they also cannot be safely proxied to other domains. This is because the various solutions to multiplexing access to the GPU at the GPU/driver level (which would expose the “full” GPU to a VM) are orders of magnitude more complex than running display drivers in just one place. We consider this added complexity too risky to put it in dom0. Errors in the drivers could expose dom0 to an attack, and attacks on dom0 are the biggest threat to the Qubes security model.
The current model, in which the GUI and administrative domains are both within dom0, is also problematic from a management point of view. The way existing user-based privilege control works in most modern systems is one of the reasons why we need Qubes at all: It provides far too little separation, and root exploits seem to be inescapable in a system as monolithic as Linux. Separating the GUI domain from dom0 allows us to manage its access to the underlying system.
This has obvious uses in an organizational context, allowing for (possibly remotely) managed Qubes installations, but even in a personal computer context it is often extremely useful to have multiple user accounts with truly separate permissions and privileges. Perhaps you would like to create a guest account for any friend who needs to borrow your computer for a moment, and allow that account to create Disposable VMs, but not to create normal qubes and not to access other users’ qubes. It becomes possible when the GUI domain is decoupled from dom0. All kinds of kiosk modes, providing safer environments for less-technical users who prefer to be sure they cannot break something accidentally, multi-user environments — they all become possible.
What needs to be ready?
Why make a GUI domain at all?
One of the biggest security concerns at the moment for Qubes is how much power is in dom0. Once a person has access to it, they can do anything: and while we separate it quite effectively from what is running inside application qubes, dom0 is still a big, bloated and complex domain that performs many disparate functions. It handles managing other domains, display and graphical interfaces, multiple devices (including audio devices), memory and disk management, and so on.
We mitigate many of the GUI-related risks (like the powers wielded by the window manager, or the fact that huge, complex libraries such as Qt/Gtk are always an increased attack surface) through compartmentalization: Applications in VMs can’t talk to GUI toolkits in dom0 other than through a very limited Qubes-GUI protocol, and GUI toolkits in application VMs can’t talk directly to dom0’s X server. Moreover, dom0 is responsible for drawing the colored window borders the represent trust levels, so compromised VMs can’t spoof them.
Nonetheless, having a GUI in dom0 at all is, at best, a source of many dangerous temptations. It’s far too easy to use it to access untrusted (and thus potentially dangerous data), for example by mounting a disk from a qube into dom0. Even browsing relaxing landscapes as desktop wallpapers can expose dom0 to numerous vulnerabilities that intermittently appear in image-processing libraries.
Furthermore, while in theory dom0 is isolated from the outside world, some graphical devices (e.g. displays connected via HDMI or DVI) offer two-way communication, which threatens this isolation and makes it harder to maintain. If a malicious device (rather than the user’s trusted monitor) were to be connected to one of these ports, it could inject data that could be processed inside of dom0. As long as graphical devices are in dom0, they also cannot be safely proxied to other domains. This is because the various solutions to multiplexing access to the GPU at the GPU/driver level (which would expose the “full” GPU to a VM) are orders of magnitude more complex than running display drivers in just one place. We consider this added complexity too risky to put it in dom0. Errors in the drivers could expose dom0 to an attack, and attacks on dom0 are the biggest threat to the Qubes security model.
The current model, in which the GUI and administrative domains are both within dom0, is also problematic from a management point of view. The way existing user-based privilege control works in most modern systems is one of the reasons why we need Qubes at all: It provides far too little separation, and root exploits seem to be inescapable in a system as monolithic as Linux. Separating the GUI domain from dom0 allows us to manage its access to the underlying system.
This has obvious uses in an organizational context, allowing for (possibly remotely) managed Qubes installations, but even in a personal computer context it is often extremely useful to have multiple user accounts with truly separate permissions and privileges. Perhaps you would like to create a guest account for any friend who needs to borrow your computer for a moment, and allow that account to create Disposable VMs, but not to create normal qubes and not to access other users’ qubes. It becomes possible when the GUI domain is decoupled from dom0. All kinds of kiosk modes, providing safer environments for less-technical users who prefer to be sure they cannot break something accidentally, multi-user environments — they all become possible.
What needs to be ready?