Security 10775 Published by

IPFire 2.29 - Core Update 187 is now available for testing, with improved protection against Distributed Denial-of-Service attacks and several security patches for OpenSSH, Suricata, and Apache2.

The update enables IPFire to leverage TCP SYN cookies to protect infrastructure from SYN flood assaults, which is especially useful in high-bandwidth applications and cloud deployments. The IP Blocklist feature now supports two additional lists: 3CORESec and Abuse.ch Botnet C2. Vectorscan, a derivative of Intel's Hyperscan library, supports ARM64 architecture and is expected to increase the Intrusion Prevention System's performance. When configured in the most restrictive mode, the firewall generates more rules, and IPsec connections cannot be established using a FQDN as the Local/Remote ID. Unprivileged applications can no longer use the bpf() syscall, and OpenSSH has been updated to version 9.8p1 to address the privileges escalation attack known as regreSSHion.





IPFire 2.29 - Core Update 187 is available for testing

Another update for IPFire is available for testing! It comes with a hot new feature that will help protecting your infrastructure against (Distributed) Denial-of-Service attacks as well as a large number of security fixes in OpenSSH, Suricata and Apache2.

Advanced (Distributed) Denial-of-Service Protection

Since IPFire is very commonly deployed in data centres where denial-of-service attacks happen on a regular basis, we now have added better protection against those kinds of attacks. Formerly, the system protected itself rather well against (D)DoS attacks, but this was only limited if TCP connections terminated at the firewall itself like for reverse proxies, etc.

Now, IPFire can use TCP SYN cookies to protect infrastructure behind it better against SYN flood attacks. This is especially useful in high-bandwidth scenarios and cloud deployments and can be activated with only one checkbox separately for each firewall rule.

Read an in-depth explanation on how this works on the IPFire Blog.

Misc.

  • The IP Blocklist feature now supports two more lists: 3CORESec and Abuse.ch Botnet C2
  • Since Intel's  Hyperscan library is no longer available as free software, we have changed to  Vectorscan which is a fork of the original Hyperscan. On top of support the x86_64 architecture, Vectorscan supports ARM64 as well which should bring performance improvements for the Intrusion Prevention System.
  • The firewall will now create more rules when configured in the most restrictive mode to allow IPsec traffic to flow for any local connections.
  • It is not possible to create IPsec connections using an FQDN as Local/Remote ID instead of the usual email address-like format using the @@ prefix. With the @# prefix it is now also possible to match a connection by the ID of a key.
  • Unprivileged programs can no longer use the bpf() syscall. This is a precautionary measure as currently no program requires this, but it might be exploited by any attacker who manages to inject and execute code.
  • OpenSSH has been updated to version 9.8p1 to address the recently discovered privileges escalation attack commonly known as  regreSSHion.
  • Updated packages:
    Apache 2.4.61 (Addressing  CVE-2024-39573 CVE-2024-38477 CVE-2024-38476 CVE-2024-38475 CVE-2024-38474 CVE-2024-38473 CVE-2024-38472 CVE-2024-36387 and  CVE-2024-39884), BIND 9.16.50, cpio 2.15, cURL 8.8.0, dhcpcd 10.0.8, e2fsprogs 1.47.0, ed 1.20.2, ethtool 6.9, GCC 13.3.0, GnuTLS 3.8.5, iana-etc 20240502, Intel Microcode 20240531, iw 6.9, jq 1.7.1, kbd 2.6.4, libedit 20240517-3.1, zip 1.24.1, man-pages 6.8, mdadm 4.3, ntp 4.2.8p18, oath-toolkit 2.6.11, PAM 1.6.1, PCRE2 10.43, psmisc 23.7, screen 4.9.1, shadow 4.15.1, SQLite 3.46.0, squid 6.10, Suricata 7.0.6 addressing various security and stability fixes, Unbound 1.20.0, util-linux 2.40.1, vim 9.1, whois 5.5.23, xfsprogs 6.8.0, Zstd 1.5.6

Add-ons

  • apcupsd now sends email if power was lost and recovered.
  • Updated packages: dnsdist 1.9.4, fetchmail 6.4.38, Git 2.45.2, hplip 3.23.12, monit 5.34.0, nano 8.0, nut 2.8.2, Postfix 3.9.0, rsync 3.3.0, Samba 4.20.2, taglib 2.0.1, tmux 3.4, Tor 0.4.8.12, traceroute 2.1.5, tshark 4.2.5, wsdd 0.8, Zabbix Agent 6.0.30 (LTS)

IPFire 2.29 - Core Update 187 is available for testing