Help understanding Qubes Windows tools risk

strikerface · May 4, 2025, 4:03pm

I understand that the potentially compromised PV drivers are in a
qubes-tools-x64.msi package installed in a Windows VM. I read that there
were several RCEs and more vulnerabilities. So, if dom0 is not affected
(qsb91.txt), only the VM in which the potentially vulnerable driver is
installed is compromised? I really need to use QWT, so if I use the VM
without a netvm and then install the drivers, would there still be a
risk?

strikerface · May 13, 2025, 11:31am

If it is a stupid question, please message me.

CaesarVialpando · May 13, 2025, 5:09pm

I think this is most complete answer qubes-secpack/QSBs/qsb-091-2023.txt at master · QubesOS/qubes-secpack · GitHub

GWeck · May 14, 2025, 9:31am

As stated in the text, there is a risk that the Xen drivers used in QWT may have been compromised at build time so that they could then compromise a Windows VM using QWT with these drivers. Although such a scenario is quite complicated, and a Qubes-specific compromise is not likely, it cannot be excluded with certainty.

The text states, however, that such a possible compromise is restricted to the Windows VM containing any of these drivers in its QWT module, and that dom0 is not affected by this compromise. As long as this statement is valid, no additional risk for Qubes as a whole is to be expected. This is plausible as Qubes is explicitly constructed in such a way that no compromise of any non-privileged qube should be able to affect the rest of the system and that the possibility of successful external attacks is reduced, and their effects are mitigated…

Considering this situation, installation of QWT in a Windows qube might perhaps increase the risk of compromise for this qube. It depends on your threat model whether you are willing to accept this increase in risk or not. However, you should bear in mind that, in general, Windows VMs with or without QWT have to be considered to be already compromised, regarding the number of security holes found, documented, and only patched at one of the next update cycles, or even not at all. Increasing the number of these holes from, say, 3023 to 3024 may or may not be important to your special situation – so it is up to you to decide.

@marmarek: I would be interested in your opinion regarding this matter.

strikerface · May 18, 2025, 6:57pm

Thank you very much, that’s exactly kind of an answer I were expecting. I think you answered to all my questions and this thread can be closed, but I am also curious marmarek opinion so I think we should wait.