I have some standalone templates that have a specific offline function such as viewing and manipulating untrusted pdfs which means there are firefox installs here that I use that haven’t updated in years. Also some of the templates are fedora 30. But when I’m doing a full system update, it asks to update these and I usually deny. My question is this a security hole I’m leaving intentionally, even if they don’t have internet connectivity or for other reasons should I be updating them?
In theory, I suppose an attack could go like this:
- You have a really old VM that’s missing security updates.
- You open a malicious PDF in that VM (or in another VM based on it, if it’s a template).
- Since that VM is missing security updates, the malicious PDF Is able to exploit some known chain of vulnerabilities in it.
- If these unpatched known vulnerabilities include some kind of hypervisor escape, the malicious code could then use this compromised VM to attack other domUs, dom0, or the hypervisor itself. Or if that doesn’t work because your hypervisor code is patched, maybe the compromised VM could just use covert channels to leak confidential data. This wouldn’t require any hypervisor-related vulnerability at all, as covert channels are generally ubiquitous and practically impossible to prevent.
Anyway, this is based on my admittedly limited understanding. Happy to be corrected by anyone more knowledgeable.
Sounds plausible. I didn’t think it through like that. I shall be updating then. Thanks.
Why have these as templates? A standalone basically many advantages of Qubes. I don’t see an advantage in that approach vs having a disposable VM based on a template that is actually updated.
If you only want to have the PDF viewer you can setup a minimal and install only that software.
Yup just learned about minimals. Which is dual helping with performance issues as well.