2019-04-26: The MirageOS security team today published MirageOS Security Announcement 02, describing a grant unshare vulnerability in mirage-xen versions before 3.3.0.
The current release of qubes-mirage-firewall (v0.5, released 2019-04-04) already has the fixes, but if you are using an older release then you should upgrade (see https://github.com/mirage/qubes-mirage-firewall for instructions).
The vulnerability means that older versions of the firewall could be attacked by a compromised sys-net domain. An attempted attack (on old or new versions of the firewall) will result in the message WARNING: g.e. still in use! appearing in the firewall's logs. You can check for this message from dom0 with:
[dom0]$ grep 'still in use' /var/log/xen/console/guest-mirage-firewall.*
This command should produce no results. I found the bug while reviewing some of the Mirage code, so I would not expect anyone to find anything this way.
The vulnerability cannot be exploited directly over the Internet (you have to compromise sys-net first). It also cannot be exploited from the firewall's client AppVMs (only from sys-net). A successful attack allows sys-net to retain access to pages of the firewall's memory after the firewall thinks that it has revoked access. It's not clear exactly what sys-net could do with that, but upgrading is strongly recommended!
2019-04-26: The MirageOS security team today published MirageOS Security Announcement 02, describing a grant unshare vulnerability in mirage-xen versions before 3.3.0.
The current release of qubes-mirage-firewall (v0.5, released 2019-04-04) already has the fixes, but if you are using an older release then you should upgrade (see https://github.com/mirage/qubes-mirage-firewall for instructions).
The vulnerability means that older versions of the firewall could be attacked by a compromised sys-net domain. An attempted attack (on old or new versions of the firewall) will result in the message
WARNING: g.e. still in use!appearing in the firewall's logs. You can check for this message from dom0 with:This command should produce no results. I found the bug while reviewing some of the Mirage code, so I would not expect anyone to find anything this way.
The vulnerability cannot be exploited directly over the Internet (you have to compromise sys-net first). It also cannot be exploited from the firewall's client AppVMs (only from sys-net). A successful attack allows sys-net to retain access to pages of the firewall's memory after the firewall thinks that it has revoked access. It's not clear exactly what sys-net could do with that, but upgrading is strongly recommended!