Software-update: OPNsense 22.7.5

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 22.7.5 uitgebracht en deze versie gaat vergezeld met de volgende aantekeningen:

OPNsense 22.7.5 released

Today we are fixing a security issue involving the "installer" user and kernel-based TCP panics that some have been fighting with since FreeBSD 13. Some ports and plugins have also been updated now that the holiday season is coming to its inevitable end.

The security issue arises on fresh 22.7 installs only due to a boot-time optimization of user account handling since 22.1.8. Users are not reset on each boot anymore which improved boot times with many users but also made the "installer" user stick with the default password in this situation. Physical access to the console with this user was possible under these conditions even after installation and updates were completed. SSH access was also possible when both not restricting login to keys and allowing root login manually. The mandatory reboot after the update to 22.7.5 or higher remedies this problem.

In a default install the issue could only be exploited by manual console access. In general we want to advise users not to yield shell/console access to non-administrators, restrict physical access if applicable, and not offer SSH access based on user accounts, especially when SSH is accessible from the WAN side without a VPN.

In any case we recommend all users of 22.7.x to update immediately or take the necessary precautions to avoid the "installer" user from being accessed in an unauthorized fashion.

Here are the full patch notes:

• system: remove stray installer account from fresh 22.7 installations
• system: only use withPadding() for RSA based public keys in CRL code
• system: remove unnecessary crl_update() calls in CRL code
• system: extend pool options support in gateway groups
• system: move get_searchdomains() to ifctl use and allow FQDN
• system: add replacement hook for rc.resolv_conf_generate script
• system: replace "dns reload" backend call with portable alternative
• system: remove obsolete rc.resolv_conf_generate script
• system: bring back the buttons action in OpenVPN dashboard widget (contributed by kulikov-a)
• system: assorted cleanups for IXR library used for XMLRPC
• system: catch errors in RSS dashboard widget
• system: stop reading product info from global $g variable in system information dashboard widget
• system: structurally improve boot sequence with regard to hosts/resolv.conf generation
• system: add keyUsage extension and follow RFC on basicConstraints in CA config (contributed by kulikov-a)
• interfaces: migrate wireless creation to legacy_interface_listget()
• firewall: support TOS/DSCP matching in firewall rules
• firewall: add os-firewall alias paths in getAliasSource() to prevent removal when being used
• firewall: get lockout interface from get_primary_interface_from_list()
• firewall: fix PHP 8 error in port forwarding page
• firewall: fix PHP 8 error in aliases (contributed by kulikov-a)
• firewall: parse pftop internal data conversion (contributed by kulikov-a)
• firmware: opnsense-update: return subscription key via -K if it exists
• ipsec: allow to set rightca in mobile phase 1 with EAP-TLS
• ipsec: fix multiple phase 2 IP addresses on the same interface (contributed by Wagner Sartori Junior)
• unbound: account for hostname during PTR creation
• unbound: maintain a consistent dnsbl cache state
• unbound: reduce blocklist read timeout (contributed by kulikov-a)
• web proxy: update pattern to zst for the Arch packages (contributed by gacekjk)
• plugins: os-crowdsec 1.0.1
• plugins: os-ddclient 1.9
• plugins: os-freeradius 1.9.21
• plugins: os-nginx 1.30
• src: ifconfig: print interface name on SIOCIFCREATE2 error
• src: igc: do not start in promiscuous mode by default
• src: tcp: correctly compute the retransmit length for all 64-bit platforms
• src: tcp: fix cwnd restricted SACK retransmission loop
• src: tcp: fix computation of offset
• src: tcp: send ACKs when requested
• ports: dnsmasq 2.87
• ports: expat 2.4.9
• ports: lighttpd 1.4.67
• ports: nss 3.83
• ports: phalcon 5.0.2
• ports: php 8.0.23
• ports: phpseclib 3.0.16
• ports: python 3.9.14
• ports: sqlite 3.39.3
• ports: squid 5.7
• ports: suricata 6.0.8
• ports: unbound 1.16.3