The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This update contains various security fixes and improvements to secure systems that are vulnerable to recently-published problems in Intel processors.
Intel Vulnerabilities: RIDL, Fallout & ZombieLoad
Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.
Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts.
Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.
To apply the fixes, please reboot your system.
There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place:
Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.
The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.
This update also contains a number of various bug fixes:
- The new IPS now starts on systems with more than 16 CPU cores
- For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
- OpenVPN has received some changes to the UI and improvements of its security.
- Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
- Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted (CVE-2020-19202, #12071)
- The same type of stored cross-site scripting attack was resolved in the static routing UI
- Log entries for Suricata now properly show up in the system log section
- Updated packages (all from Matthias Fischer):
The wireless AP add-on has received some new features:
- For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
- DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
- Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.
- Qemu is now being hardened with
libseccompwhich is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default