---===[ Qubes Security Bulletin #45 ]===---

                             2018-12-03

                 Insecure default Salt configuration

Summary
========

In Qubes OS, one use of Salt (aka SaltStack) is to configure software
installed in domUs (including TemplateVMs and AppVMs). [1] To protect
dom0 from potentially compromised domUs, all complex processing is done
in a DisposableVM. [2] Each target domU being configured gets a separate
DisposableVM, which is given power to execute arbitrary commands
(through the qubes.VMShell qrexec service) in that target domU.

In the default configuration, each DisposableVM generated for this
purpose is based on the same default DVM Template that is used for all
other default DisposableVM actions (including the default "Disposable:
Firefox" menu entry). This DVM Template has a red label and has
networking enabled, which might suggest that it is not
security-critical.  However, if this default DVM Template were
compromised (for example, by a web browser plugin the user had installed
there [3]), then the next time Salt were used, it could also compromise
all target domUs it were configuring.

Although it is possible to use an alternative DVM Template for Salt, the
option to do so has not been exposed through any command-line or
graphical user interface.

Vulnerable systems
==================

To exploit this vulnerability, two conditions must be met:

1. The user must actively use Salt to configure software inside a domU.
   This does not happen by default; user intervention is required. Only
   domUs configured by Salt are affected.

2. The user must compromise the default DVM Template. (For example, the
   user might customize the DVM Template by installing an untrusted
   program in it, not realizing the security implications of doing so.)

The issue affects only Qubes OS 4.0. In Qubes 3.2, Salt processing
occurs in a temporary AppVM based on the default TemplateVM.

Resolution
==========

To fix this problem, we are implementing two changes:

1. Adding the "management_dispvm" VM property, which specifies the DVM
   Template that should be used for management, such as Salt
   configuration.  TemplateBasedVMs inherit this property from their
   parent TemplateVMs.  If the value is not set explicitly, the default
   is taken from the global "management_dispvm" property. The
   VM-specific property is set with the qvm-prefs command, while the
   global property is set with the qubes-prefs command.

2. Creating the "default-mgmt-dvm" DVM Template, which is hidden from
   the menu (to avoid accidental use), has networking disabled, and has
   a black label (the same as TemplateVMs). This VM is set as the global
   "management_dispvm".

Patching
=========

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes OS 4.0:
  - qubes-core-dom0 version 4.0.36
  - qubes-mgmt-salt-dom0-virtual-machines version 4.0.15
  - qubes-mgmt-salt-admin-tools version 4.0.12

  For Qubes OS 3.2:
  - No packages necessary, since 3.2 is not affected.
    (See above for details.)

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.


Credits
========

The issue was reported by Demi M. Obenour <demiobenour@gmail.com>

References
===========

[1] https://www.qubes-os.org/doc/salt/#configuring-a-vms-system-from-dom0
[2] https://github.com/QubesOS/qubes-issues/issues/1541#issuecomment-187482786
[3] https://www.qubes-os.org/doc/dispvm-customization/

--
The Qubes Security Team
https://www.qubes-os.org/security/