Vector: whonix-ws-16 disposable VM ; Tor Browser 11.0.6 ; scripts default (enabled)
Description:
I was on a clearnet website, over Tor, when I got an XSS Scripting attack popup notification. I closed the notification, and it repeatedly kept popping up. I closed Torbrowser, and the popup persisted.
I shutdown the disposible VM, only for it to immediately be restarted after shutdown. I immediately hit the Wifi hardware kill switch. Shut down all other VMs with no issues. The disposable whonix-ws VM refuses to stay shut down, continually restarting. Each time it is shut down from the terminal in dom0.
I have since attempted to recreate the XSS popup by going back to the same website (temporarily re-enabling the wifi hardware switch), but nothing happened. Hardware kill switches are all enabled, and I have not restarted the laptop.
Could someone be so kind as to recommend next actions? Is there any way to verify that I didn’t encounter a VM escape bug via a scripting attack?
The XSS attack might be from one of the account from google or the ads from one’s website. If you have read the news article, you might have a bad time due to their large amount of XSS scripts. The DVM does not verify where it coming from, but you might need the PTF tools to verify it. Otherwise, I would ping @Sven or @deeplow for that to troubleshoot.
Do you mean the Intel microcode updates? My 7500U Intel processor is among the affected on the list there.
I’m also running a Pursim, who disables 95% of the Intel ME on the Intel chip. Not sure how that affects the vulnerability.
So it looks alot like I might’ve just gotten hit with an attack vector like this. Seems too coincidental that such a rare VM escape bug comes along, and now, just a few weeks later I’m experiencing this.
As for the google ads, yeah, I’m pretty sure that I saw a bunch of text with google stuff inside of it. Unfortunately when I shut down the VM, I lost that text. Should’ve screenshotted first.
First of all, the Intel ME doesn’t affect the XSS notification due to the way of the structure. I am not sure there is a vulnerability out there yet to be open source, but that means part of the Intel ME still run with the older versions to protect your data. Secondly, the DVM might need another update from the Qubes Update menu. Lastly, upgrade your qubes version due to the EOL of R4.0. These things are the one to avoid those vulnerabilities from hacker to Game Over your operations. Thankfully, I have the link to the upgrading process. [How to upgrade to Qubes 4.1 | Qubes OS](R4.0 to R4.1 in place process)
I ran my last update on all VMs and on dom0 just 2 days ago, and I was putting off the upgrade to 4.1 for a few weeks until I had the time to play with the new version, since it looks like the GUI domain has entered the picture; and I run i3. So I’m assuming it will require some tweaking.
I think these are unrelated, not as a actual attack. I’ve seen both of theses things happening. You just probably had the unlikely situation of having them happen sequentially and are thus imaging a causal relationship, which is only normal.
A reminder of why it’s so important for software developers to focus on improving the stability and testing of their systems (which the Qubes team has been focusing resources on).
This happens a lot on news website and it’s annoying. NoScript keeps on telling us about XSS technical stuff. Honestly I’d prefer if they just straight up block it and not inform the user…
Changed the title to better reflect the issue at hand.
Also, for whonix-related questions, it’s always best to post instead on
So the developers of whonix can become aware of it. However in this case I think these are known things already. Searching there will provide some clues.
Thanks for the response. This was on 4.0.4, so I’m not sure, maybe it’s the same restart issue with whonix?
At any rate, I’m not taking any chances. And I need to upgrade to 4.1 anyways. And I just recently backed up all my Qubes, so it should be relatively less pain.
Because the strange behavior only started after I made the airgapped backup. I mean, no one can ever prove anything with certainty except for maybe math … but we go on the best evidence we have.
I think the smart guys here are probably right, it’s probably just related to a minor bug; but there are counterveiling reasons why that might not be so.
As I’ve stated a few times before, throwing into the mix the Intel microcode vulnerability …
compounded by the fact that I need to upgrade to 4.1 ANYWAYS … kinda makes this an easy decision.
The safest thing to do is reinstall, since I kind of need to do that anyways. I was gonna wait a few more weeks, but I guess today is the day.