This is the official release announcement for IPFire 2.25 - Core Update 142. This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.173.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in Fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.

Misc.

  • pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
  • Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
  • The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
  • ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
  • Wireless Access Point devices are now properly added to a network bridge at boot time
  • Some smaller aesthetic fixes for the new DNS Configuration page

Add-Ons

Updates

  • clamav has been updated 0.102.2 which closes a number of security vulnerabilities
  • dehydrated has been fixed to properly conduct a backup and restore when it is being updated
  • guardian has received fixes for its HTTP log parser
  • haproxy has been updated to 2.1.3 and support for Lua has been enabled
  • libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
  • The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
  • Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor 0.4.2.6, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

  • arm a CLI monitoring tool for tor
  • batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
  • cyrus-imapd - An IMAP/POP daemon
  • multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
  • check_mk_agent - A monitoring tool
  • DirectFB - Graphics drivers
  • ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
  • icecast, icecastgenerator & streamripper - A media relay for radio streams
  • setserial - A tool to manage serial connections on console
  • rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!


Another exciting feature is landing in Core Update 142: Improved Kernel Rootkit Protection using code signing. This way, IPFire will protect itself against attackers trying to load third-party kernel modules.

What is a Rootkit?

A rootkit simply is malware for the kernel.

It dynamically modifies the code the kernel is running, just like any other kernel module. It can add or change functionality of the lowest layer of the operating system. Normal kernel modules might add support for another file system format, or a piece of hardware.

But what happens when that code does not do anything good?

What is the danger?

Since we are working on the kernel level, there is nothing that cannot be done. One of the most common things a rootkit does is changing the behaviour of syscalls. A syscall is a command sent to the kernel when a userspace program wants to perform a certain action.

For example, opening a file from disk. Obviously not every program implements a filesystem driver. That is why we have the kernel perform such low-level tasks.

When a program now asks the kernel to open a certain file, it sends a syscall to the kernel with the filename and some other information. The kernel then finds the right blocks on disk and sends them to the program. But what if an attacker wants to give us content from another file than we have requested? There is no way to find out, because Rootkits normally go undetected.

If we know exactly what we have to expect in that file we wanted to open, we will of course notice. But what if that file was a library? We are now running code inside of our program that we cannot verify.

We might run a deliberately vulnerable version of a library an attacker knows they can exploit over the network. We might write our data to a file that an attacker is receiving a copy of. We might mine cryptocurrency inside of our program without knowing or we simply might run code that tries to infect or exploit other systems.

Who might attack me?

Rootkits are extremely dangerous because they are so hard to detect. Everyone who wants to break into a network and wants to remain undetected would prefer this method.

And since a firewall is of course the best target because so much valuable information flows through it, we must to our best to not being infected in the first place.

Kernel Module Signinig

In IPFire 2.25 - Core Update 142, we are now cryptographically signing all kernel modules. That means every time a driver for a network adapter, a filesystem driver or other kernel module is loaded into the kernel, it is checked that this signature matches.

The signature is added during compile time of the kernel and after we are done with that, we throw the key away.

Nobody needs it any more. Nobody - not even we - have now the ability to change the kernel any more. The only way to change a line of code somewhere is to rebuild and re-ship the whole kernel.

An attacker can no longer build their rootkit source against an IPFire kernel and successfully load it onto a production system.

It is easy and very effective.

Thanks to everyone who helped delivering this feature to IPFire. If you want to support those people, please donate.


Only days after finally releasing our new DNS stack in IPFire 2.25 - Core Update 141, we are ready to publish the next update for testing: IPFire 2.25 - Core Update 142.

This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.171.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities. More on this in a later blog post.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.

Misc.

  • pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
  • Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
  • The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
  • ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
  • Wireless Access Point devices are now properly added to a network bridge at boot time
  • Some smaller aesthetic fixes for the new DNS Configuration page

Add-Ons

Updates

  • clamav has been updated 0.102.2 which closes a number of security vulnerabilities
  • dehydrated has been fixed to properly conduct a backup and restore when it is being updated
  • guardian has received fixes for its HTTP log parser
  • haproxy has been updated to 2.1.3 and support for Lua has been enabled
  • libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
  • The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
  • Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor 0.4.2.6, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

  • arm a CLI monitoring tool for tor
  • batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
  • cyrus-imapd - An IMAP/POP daemon
  • multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
  • check_mk_agent - A monitoring tool
  • DirectFB - Graphics drivers
  • ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
  • icecast, icecastgenerator & streamripper - A media relay for radio streams
  • setserial - A tool to manage serial connections on console
  • rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!