Security Advisories

The webserver shipped with an IACBOX (apache) had a source code disclosure vulnerability in version 2.4.60.
This was only partially fixed with version 2.4.61 that has already been shipped with IACBOX version 21.0-p21566.
We have not been able to trigger this vulnerability anymore, but to be safe, we advise you to update to the latest version 21.0-p21573

See the apache changelog for details

The discovered vulenerability in the RADIUS protocol called Blast-RADIUS affects Radius and iPass authentication on the IACBOX.

Who is affected?
Only systems with activated external authentication method Radius or iPass are affected as plain Radius (without EAP) is in use.
- Note that Radius can also be used as authentication method for WebAdmin logins which is also affected.
- Radius as part of 802.1x is not affected as EAP should always be in use there.

There's a possible MITM attack that can change a denied authentication into a successful authentication.
The attacker needs to craft a matching MD5-HMAC within the clients timeout, so this needs resources and time, so this is not easy to exploit.

Changes
- From now on Radius requests always have the Message-Authenticator attribute set
- There's a new Radius setting in WebAdmin under Login Methods -> External Authentication -> Radius: Force Message Authenticationwhich checks if a Radius response has the attribute Message-Authenticator.
This new option has to be switched on manually as it's maybe not backwards compatible with your Radius server that does not send this attribute.

Further Information
See the blastradius.fail page for more details

The webserver shipped with an IACBOX (apache) has multiple vulnerabilities which have been fixed with httpd version2.4.60 and 2.4.61.
As some of the vulnerabilities allow DoS attacks, all users are advised to update their systems to 21.0-p21566.

See the apache changelog for details

OpenSSH has a serious remote code execution vulnerability which gets fixed with 21.0-p21561.
See all details in the Qualys report (regreSSHion)
Workaround for systems that can't be updated right now: Disable SSH access from all interfaces or add rules to your firewall so that SSH port (TCP/22) is not reachable.

There's a possible local priviledge escalation in the Linux kernel GSM module. Also if the module is not used it can be loaded and exploited
UPDATE: Patchlevel update 21.0-p21543 replaces update 21.0-p21536 which provided a workaround for this issue.

The IACBOX is not affected as the used liblzma version does not contain this vulnerability.

An OpenSSH connection can be downgraded during handshake (Terrapin attack). As SSH is only rarely used for remote control connections this does not really affect normal operation.