QSB #050: Reinstalling a TemplateVM does not reset the private volume
Update 2019-08-01: Fixed packages are now available. QSB #050 has been updated accordingly.
We have just published Qubes Security Bulletin (QSB) #050: Reinstalling a TemplateVM does not reset the private volume. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB #050 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/qsb/
---===[ Qubes Security Bulletin #50 ]===---
2019-08-01
Reinstalling a TemplateVM does not reset the private volume
History
========
2019-08-01: Added list of fixed packages and patching instructions
2019-07-24: Initial version
Description
============
In Qubes OS, we have the ability to reinstall a TemplateVM by running
`qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
This is supposed to reset the corresponding TemplateVM to the state of
the published package, i.e., no local changes should remain.
One uncommon reason to perform such a reinstallation is that you suspect
that a TemplateVM may be compromised. In such cases, it is very
important that no local changes persist in order to ensure that the
TemplateVM is no longer compromised.
Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
using qubes-dom0-update does not completely reset all local changes to
that TemplateVM. Although the tool itself and our documentation claim
that the private volume of the TemplateVM is reset during
reinstallation, the private volume does not actually get reset. This
could allow a TemplateVM to remain compromised across a reinstallation
of that TemplateVM using qubes-dom0-update.
Patching
=========
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes 4.0:
- qubes-core-admin-client, python3-qubesadmin version 4.0.26
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
Workaround
===========
Independently of patching (see above), the following workaround is
available:
Rather than using the qubes-dom0-update method of reinstalling a
TemplateVM, you can instead manually remove the TemplateVM, then install
it again. Detailed instructions for this manual method are documented
here:
https://www.qubes-os.org/doc/reinstall-template/#manual-method
Credits
========
Thank you to Andrey Bienkowski <hexagonrecursion@gmail.com> for
discovering and reporting this issue.
References
===========
[1] https://www.qubes-os.org/doc/reinstall-template/
[2] https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
--
The Qubes Security Team
https://www.qubes-os.org/security/