Possible sys-firewall/net compromise. Help Wanted

Background: I use debian 11 as my default template and debian dvm template as the basis for my disposable sys-net and sys-firewall vms.

I mistakenly opened firefox and browsed 4-6 websites on my debian disposable template instead of on a disp vm before I noticed what I was doing. The websites were not trusted ones and javascript was enabled.

Assuming my debian disposable templated got compromised, then my sys-firewalland sys-net vms are compromised as well, as well as every disposable spawned from it.

Question 1: Assuming the above, what attacks can an adversary launch against my system? Given how I may have been compromised, the attack would probably not be targeted and the attacker just some hacker.

Question 2: How do I recover from this? Do I absolutely have to do a clean install ? If not, then what? I was thinking I could create a new appvm based on debian 11 template, check the property to allow it to be used as a disposable template, and then simply use this newly created disposable template as the basis for my sys-firewall and sys-net vms. Would this solve the problem? If so, is there anything special about the default debian 11 dvm that was automatically created on installation? Do I need to do anything else to make sure my sys-firewall and sys-net vms work properly and securely ?

I would really appreciate some help, I am a social worker and I rely on Qubes for important tasks but unfortunately I am not very tech savvy. Thanks in advance.

You can recover quickly by reverting the disposable template AppVM’s private volume, assuming you keep more than 1 revision.

Check out available revisions here:
qvm-volume info <dvm-template>:private

qvm-volume revert <dvm-template>:private <revision>

Make sure the unix timestamp on the <revision> is before the compromise.

1 Like

Worst case scenario, if you don’t have a backup of the private volume prior to the activity, you can just recreate the disposable VM template from scratch following the steps that you laid out there. If you use this disposable template just for sys-firewall and sys-net, at most you will lose the wifi configuration that you persisted in that template and, possibly, any advanced firewall rules, if you used /rw/ for those, but it’s a minimal loss. No need to reinstall the entirety of Qubes due to this mishap. There is nothing special about the way the installer creates these qubes (disposable template and sys-*), so you can recreate them easily.

1 Like

Just to add my 2 cents. If you didn’t have any sensitive data in your dvm-template (like you never should), I wouldn’t worry too much and would just created new dvm-template and dispVMs from the scratch.

For such a situations, I adopted new computer habits.