QSB-092: An attacker in control of sys-whonix could bypass Tor, emit clearnet traffic, and learn the machine's real public IP address.

An attacker who manages to compromise a network-connected qube could
attempt to exploit the vulnerability described in this bulletin in order
to attack the service qube (such as sys-net, sys-firewall, sys-whonix,
or a VPN qube) that provides network access to the compromised qube.

An attacker in control of sys-whonix could bypass Tor, emit clearnet
traffic, and learn the machine’s real public IP address.

The Qubes security team believes that such an attack is unlikely to succeed
and that this vulnerability is not likely to be exploitable beyond
causing a crash.

This sounds like a fatal vulnerability. Does this affect other variations of Whonix (VirtualBox, KVM?) and is the Qubes team over, or underestimating the difficulty of doing this attack on Whonix?

Leaking the real IP from running code within the workstation is exactly what shouldn’t be possible in Whonix.

(FWIW; update is out, there is no general discussion forum here, this is not a support request)

QSB-092 Clearnet

QSB-092 Onion


Yes. If Whonix-Gateway is compromised, it’s game over. Whonix consists of components such as Debian, Linux kernel, Tor, virtualizer. It’s part of the TCB (trusted computing base). If any of it is compromised, so is Whonix or any other tool based on the same compromised components. This is stating the obvious, known and documented for over a decade. References:

Quote Whonix-Gateway Security - Whonix

If Whonix-Gateway ™ (sys-whonix) is ever compromised, the attacker can discover:

  • The user’s identity (public IP address).
  • All destinations visited.
  • The entirety of clear-text and onion service communication over Tor.

It’s also listed in the comparison table:
Anonymity Operating System Comparison - Whonix ™ vs Tails vs Tor Browser Bundle chapter Attacks in Whonix wiki

It’s impossible by definition. If your assumption is that the TCB can be compromised, then it’s game over for any tool. Hardening can make a difference. Different tools can do a different job at hardening. But the general inherent facts that if the TCB is compromised so is anything running on top of it can never be “fixed”.

It’s not an attack on Whonix specifically. It’s an attack on the Linux kernel.

I am not sure difficulty matters a lot for measuring security. Maybe pricing for exploits and how often these can be deployed would be a more useful measurement for comparison.

See also Technical Introduction chapter Security Overview in Whonix wiki which talks about the difficulty.

To assess the impact in practice, see:

1 Like

Yes, thank you. I’ve done extensive research of the documentation, but I’m not confident in knowing how exploits work in practice.

For example, since this is a kernel vulnerability, does that imply privilege escalation? Would this work on Whonix KVM, with root hardening, or would the firewall shut down any such attempts (assuming no exploit chaining to attain root).

An attack on the Linux kernel itself is supposed to be contained within the workstation.

"DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP. "

My understanding is that the gateway’s networking stack itself is the TCB, because it will be handling networking, but is isolated other than that. That would also mean game over for physical separation, and ultimately making an exploit of this degree impossible to prevent on any setup. Correct?

As a long time maintainer, how many vulnerabilities have you seen come and go on the TCB?

No. Privilege escalation is for example when a non-root user such as user “user” can get access to root.

Compromised kernel: game over

Maybe some sort of kernel hardening can prevent one or another kernel exploit but the general rule will always be true: compromised kernel = game over.

Not just for Whonix. But for any web server running that kernel.

And it is. Unless there’s an exploit chain to exploit a kernel through lets say a network connection to another VM.

And this is still true.

root privileges doesn’t equal remotely exploitable kernel running somewhere else on the network (internet or VM internal).

Yes. If an adversary has a remote kernel exploit then an adversary can exploit any kernel it can connect to over any network. Internet wide. Not limited at all to Whonix.

General computer security question.

1 Like

Thank you. All doubts cleared, excellent explanation.

On Whonix’s TCB :wink: . No need to answer, I looked it up but struggled navigating (or knowing what to look for) on the CVE sites.

A remote kernel exploit sounds extreme and rare. Not many things affect anonymity using a system like this.

2 posts were split to a new topic: nyx logs: [WARN] Guard is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself