---===[ Qubes Security Bulletin #45 ]===--- 2018-12-03 Insecure default Salt configuration Summary ======== In Qubes OS, one use of Salt (aka SaltStack) is to configure software installed in domUs (including TemplateVMs and AppVMs). [1] To protect dom0 from potentially compromised domUs, all complex processing is done in a DisposableVM. [2] Each target domU being configured gets a separate DisposableVM, which is given power to execute arbitrary commands (through the qubes.VMShell qrexec service) in that target domU. In the default configuration, each DisposableVM generated for this purpose is based on the same default DVM Template that is used for all other default DisposableVM actions (including the default "Disposable: Firefox" menu entry). This DVM Template has a red label and has networking enabled, which might suggest that it is not security-critical. However, if this default DVM Template were compromised (for example, by a web browser plugin the user had installed there [3]), then the next time Salt were used, it could also compromise all target domUs it were configuring. Although it is possible to use an alternative DVM Template for Salt, the option to do so has not been exposed through any command-line or graphical user interface. Vulnerable systems ================== To exploit this vulnerability, two conditions must be met: 1. The user must actively use Salt to configure software inside a domU. This does not happen by default; user intervention is required. Only domUs configured by Salt are affected. 2. The user must compromise the default DVM Template. (For example, the user might customize the DVM Template by installing an untrusted program in it, not realizing the security implications of doing so.) The issue affects only Qubes OS 4.0. In Qubes 3.2, Salt processing occurs in a temporary AppVM based on the default TemplateVM. Resolution ========== To fix this problem, we are implementing two changes: 1. Adding the "management_dispvm" VM property, which specifies the DVM Template that should be used for management, such as Salt configuration. TemplateBasedVMs inherit this property from their parent TemplateVMs. If the value is not set explicitly, the default is taken from the global "management_dispvm" property. The VM-specific property is set with the qvm-prefs command, while the global property is set with the qubes-prefs command. 2. Creating the "default-mgmt-dvm" DVM Template, which is hidden from the menu (to avoid accidental use), has networking disabled, and has a black label (the same as TemplateVMs). This VM is set as the global "management_dispvm". Patching ========= The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - qubes-core-dom0 version 4.0.36 - qubes-mgmt-salt-dom0-virtual-machines version 4.0.15 - qubes-mgmt-salt-admin-tools version 4.0.12 For Qubes OS 3.2: - No packages necessary, since 3.2 is not affected. (See above for details.) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Credits ======== The issue was reported by Demi M. Obenour <demiobenour@gmail.com> References =========== [1] https://www.qubes-os.org/doc/salt/#configuring-a-vms-system-from-dom0 [2] https://github.com/QubesOS/qubes-issues/issues/1541#issuecomment-187482786 [3] https://www.qubes-os.org/doc/dispvm-customization/ -- The Qubes Security Team https://www.qubes-os.org/security/