Das Entwicklerteam der OpenSource Firewall pfSense, haben am 25.06.2015 das neue Release 2.2.3 veröffentlicht. Dieses beseitigt einige Fehler und führt wichtige Sicherheitsupdates durch. Das Upate für alle die IPSec in einer pfSense in Version 2.2x verwenden, ist äußerst wichtig. Sie sollten auf jeden Fall umgehen aktualiseren.
Zu den größeren / wichtigsten Sicherheitsupdates gehören:
- Stopfen einer XSS (Cross-Site-Scripting) Lücke in der Web GUI von pfSense
- Aktualisierung von OpenSSL in FreeBSD, da in älteren Versionen diverse Lücken vorhanden sind
Das Upgrade ist für alle die bereits eine pfSense in Version 2.2x laufen haben relativ risikofrei. Für alle die die Version 2.1x und vorher einsetzen, sollten sich die Upgrade Notes genauer ansehen, Stichwörter IPSec, Rekeying, NAT-D, glxsb Crypto, Mobile Users, Disk Driver, Xen User, GEOM Mirrors, CARP, Solarflare NIC; FTP Proxy, Wireless NIC Users, LAGG LACP, Intel 10Gbits SFP Modules, Layer7 und Microsoft Load Balancing / Open Mesh Traffic: Link zu den Upgrade Notes
Liste der neuen Features und Änderungen in pfSense 2.2.3
- pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
- The complete list of affected pages and fields is very large and all are listed in the linked SA.
- FreeBSD-SA-15:10.openssl: Multiple OpenSSL vulnerabilities (Including Logjam): CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-4000
- NOTE: pfSense ships with a default set of DH parameters due to the time/CPU they require to generate. A new set of DH parameters may be generated by the user at any time as described in Importing OpenVPN DH Parameters
- Fixes for filesystem corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
- Changed new filesystems to use the ‘sync’ option to avoid loss of data.
- Added upgrade code to activate the ‘sync’ option on the root slice for existing installations.
- Changed new filesystems to use softupdates and journaling (AKA SU+J).
- Changed the way fsck is handled at boot time:
- Followed best practice of using fsck from FreeBSD rc.d/fsck script. (Run preen mode first and later try forcefully fixing issues.)
- Added as much information during boot on the status of the filesystem as possible.
- Changed fsck to run with -C flag and always in foreground during boot to prevent issues that might schedule background mode.
- The forcesync patch for #2401 was considered harmful to the filesystem and removed. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD.
- Fixed a problem with more than 64 IP addresses in the “self” table in pf.
- Fixed issues with FQDNs in aliases causing static entries to be lost. #4296
- Added the tracker ID rule number lookup to dynamic firewall log. #4730
- Fixed alias rename and delete not being propagated to outbound NAT. #4701
- Fixed tracker IDs of policy route negation rules which had been duplicating the tracker ID of the rule they were based upon. This confused the log parser and displayed the negation rule rather than the actual rule. #4651
- Fixed logging of passed IGMP traffic when the rule is not set to log. #4383
- Fixed a situation where a combination of L2TP, overlapping subnets, port forwards and NAT reflection could cause an invalid ruleset. #4772
- Added a GUI field to control the size of the pf fragment limit #4775
- Updated strongSwan to 5.3.2. #4750
- Integrated a patch from https://wiki.strongSwan.org/issues/951 to solve IPsec SA rekey issues on strongSwan+FreeBSD. #4686
- Added patches from FreeBSD PR 200282 to help address IPsec rekey issues.
- Backported FreeBSD r283146 and patch from FreeBSD PR 192774 to address PF_KEY ACQUIRE missing port and protocol information.
- Added reply-to/route-to rules for mobile-ipsec. #4235
- Removed the manual specification of reqid in the IPsec configuration because strongSwan 5.3.0 has fixed issues with its handling, which caused the existing code to misbehave. #4665
- Fixed the display and behavior of the LAN bypass option for IPsec. #4655
- Fixed IPsec LAN bypass toggling every time save is pressed. #4640
- Changed how charon is started and restarted to fix a various issues with IPsec configuration reloading. #4268
- Added new modes for IPsec Phase 1 according to RFC 5903 (Ecliptic Curve groups). #4260
- Implemented the “make before break” feature available in strongSwan 5.3.0, which is useful for IKEv2. #4626
- Fixed vpn_ipsec_configure so it always performs a filter reload to ensure the ruleset is updated where necessary in every IPsec change scenario. #4631
- Added support for EAP-RADIUS to IKEv2 Mobile Clients. #4614
- Fixed a panic/crash when accessing services on the firewall over mobile IPsec on 32-bit installations (set net.inet.ipsec.directdispatch=0 on i386). #4537
- Fixed an issue with FQDN hosts and PSKs. #4785
- Added a space to the OpenVPN TLS Verify script to avoid appended parameters appearing the same as existing parameters.
- Fixed get_interface_ip() to return the IP address correctly for gateway groups specifying a VIP, which fixed OpenVPN clients not working with gateway groups specifying VIPs. #4661
- Changed the OpenVPN client settings to allow just one of either the username or password to be specified. #3633
- Fixed OpenVPN servers listening on an associated IPv6 addresses.
- Fixed filterdns to use the proper API for ipfw changes on FreeBSD 10.1+ to correct captive portal allowed hostnames not being loaded into tables at boot time. #4746
- Fixed Captive Portal RADIUS accounting. #4131
- Fixed Captive Portal Idle-Timeout causing a value of 2147483647 for acctsessiontime. #4652
- Fixed disconnection of active voucher users, and corrected disconnection of users especially when triggered via XMLRPC. #4625
- Fixed both the kernel and choparp to better handle I/O and prevent issues in the way it handles BPF, which can contribute to a panic when using Proxy ARP VIPs. #4685
- Merged a patch that avoids a panic on sockbuf module. #4689
- Fixed AESNI to be SMP friendly to avoid various decryption errors and possible encryption mistakes. Also present critical_enter/critical_exit to avoid preemption of the currentrunning thread which should fix panics. #4702
- Updated time zone data from FreeBSD 10.1-RELEASE. #4459
- Fixed creation of /var/spool/lock on NanoBSD at boot time. #4532
- Removed boot_serial=’yes’ from loader.conf when serial is disabled. #4617
- Fixed an issue where mtree would fail during an upgrade from a previous version of FreeBSD when moving to 2.2.x. #4653
- Added support for Sierra Wireless MC7354.
- Added support for Intel X552, ixgbe changes from stable/10, and moved altq changes for ixgbe to the large ixgbe patch.
- Enabled ix/ixv/ixl modules in the kernel
- Fixed duplication of statistics on vlan(4) interfaces for outgoing bytes #3314
- Fixed updating wireless statistics so that the output bytes are not always zero. #4028
- Added a patch from FreeBSD PR 200722 for mpd5 to preventing it from printing a warning when renaming an interface to an existing name.
- Fixed SLAAC/DHCPv6 handling for cases where the global SLAAC IPv6 address might be present when using DHCPv6. #4483
- Corrected descriptions on Key Rotation and Master Key Regeneration for wireless interfaces.
- Removed the “insert my MAC” feature from interfaces.php.
- Defined $var_path as a global key since it is being used in interfaces.inc, but it was not declared.
- Fixed issues setting the MTU on certain interfaces. #4397
- Fixed various issues with PBI generation.
- Synchronized and cleaned up various pfPorts, eliminated several that had changes pushed back into FreeBSD ports.
- Fixed an issue where rebuild_package_binaries_pbi.php could fail due to missing build files. #4600
- Backported patches from FreeBSD stable/10 to fix a crash when stopping squid. #4592
- Fixed pfflowd to use the correct version for parsing the new pfsync header and corrected the pfsync version check. #4304
- Updated pkg_edit.php with fixes for usecolspan2 and combinedfields.
- Fixed pagination on pkg.php.
- Fixed boot-time log file initialization for package logs. #4603
- Clarified that DNS Forwarder and Resolver both apply in DHCP/DHCPv6 and router advertisements. #3730
- Removed unnecessary filtering on the DHCP static mappings table.
- Added appropriate RA Flags for “Stateless DHCP”.
- Added error checking to avoid warnings about DHCP relay during boot.
- Fixed hostname validation for static DHCP leases such that only fully qualified hostnames must be unique, not only short names.
- Fixed adding DHCP static mappings from the DHCP leases view to non-default pools. #4649
- Stopped invalid DHCP settings from being applied when input errors exist.
- Removed DHCP static lease overlap cleanup and its associated function and killing of the DHCP daemon. This behavior could cause problems with failover scenarios, especially when adding/editing/removing static mappings.
- Fixed language selection. #4705
- Changes to status.php to make it easier to gather and submit support information:
- Added sanitization of OpenVPN static/tls keys to status.php.
- Cleaned up, organized, and expanded the info presented by status.php.
- Changed status.php to additionally save the output to individual text files and compress them into a .tgz for later download.
- Fixed setup wizard LAN DHCP pool calculation to avoid an invalid pool.
- Improved the setup wizard hostname check. #4712
- Fixed some minor text issues in wizards.
- Changed the wizard to use the current WAN gateway name rather than assuming the name. #4713
- Updated and corrected the wireless status flags and capabilities list. There are many more possible flags, now documented on the wiki at Wireless Status.
- Added a fall back to look up local user privileges and groups if the groups could not be found from LDAP and there is a local user.
- Fixed Crash Reporter submissions when symlinks were present as part of crash report, which would fail to save the report on the server. #4650
- Set a user agent for the Crash Reporter.
- Cleaned up code logic in status_upnp.php.
- Changed CARP so that it does not trigger a carp demotion taskqueue if the value is 0, which can cause the cluster to misbehave.
- Fixed issues for CARP+Bridges where pfSense would crash or freeze. #4607
- Fixed the CARP plugin call for packages. The “interface” parameter was coming through as NULL during CARP events.
- Added INIT event for CARP in devd.conf as an alternate for ‘backup’, otherwise scripts would not take down services during a MASTER->INIT transition. (e.g. interface unplug, link loss)
- Fixed NTP so that it properly uses selected CARP IP addresses. #4370
- Fixed CARP packet flow after initial interface creation. #4633
- Fixed limiters when used with IPv6. #2526
- Corrected handling of NAT when RDR/BINAT is applied on packet and it is being sent to limiters. #4596
- Disabled defer in pfsync which is used for active-active deployments not usable in FreeBSD. This should fix hangs reported on some machines with pfsync, specifically with Limiters. #4310
- Consistently handle clear_subsystem_dirty after an Unbound restart.
- Added a call to clear_subsystem_dirty(‘staticmaps’) when using Unbound, otherwise DHCP static mappings would not fully apply when Unbound was in use. #4678
- Fixed an Unbound warning when “dnsallowoverride” was off and port forwarding was on. #4682
- Re-enabled verification for selfhost DynDNS since their chain issue has been resolved. #4545
- Updated PHP to 5.5.26
- Fixed various issues in the installer for GEOM mirrors (mirror slice detection, gmirror cleanup on non-clean disks.) #4658
- Fixed new user creation to use skel as the source of new user files rather than copying from the home directory of root.
- Changed growl so it will not be called if the configured address isn’t an IP address or resolvable hostname. This avoids 1 minute timeout delay in fsockopen in growl.class. This change cuts that down to about a 20 second timeout. #4739
- Added a reboot after restoring a full backup in the GUI. #4107
- Deprecated /usr/local/bin/3gstat as it was no longer used. It was replaced by 3gstats.php long ago.
- Started using the “host!” flag when setting CURLOPT_INTERFACE, as recommended by the CURL documentation.
- Started passing the interface to CURLOPT_INTERFACE instead of the IP address, also started using the “if!” flag to avoid CURL trying to resolve the interface name.
- Fixed NTP serial configuration to setup the serial port before attempting to configure a GPS unit.
- Cleaned up various HTML/XHTML issues.
- Fixed a check for deleting a VIP when in use by OpenVPN.
- Fixed issues with backup/restore of a config.xml breaking the serial console on ADI installs. #4720
- Fixed several issues with boot speed when WAN was disconnected. #4442
- Reduce the timeout for HTTP/HTTPS connection attempts for items like URL table aliases. Once connected, they can run past that. 5 seconds should be more than enough for any properly-functioning network.
- Removed some unused/obsolete files.