Release Notes CSG 7.2.10

Collax Security Gateway
14.07.2022

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

Firewall: Country Lock (Geo-IP Filter)

This update introduces Geo-IP lists. Using a country block, connections from selected countries can be blocked by the firewall. Lists that assign IP addresses to a country are used for this purpose. A second mode is available, which can be used to create a white list. Then only IP addresses from the selected countries are allowed. A country lock also prevents access via IPv6. The lists are located in the Firewall -> General dialog.

VPN: Wireguard net-to-net connections

With this update it is possible to configure WireGuard type links. During the conception of WireGuard the simple operability, a high speed and a small attack surface in the foreground. To set up a tunnel, only the public keys need to be exchanged in advance. WireGuard has also proven its worth in terms of tunnel stability. Network-to-network connections are supported, but road-warrior connections not yet.

SSL VPN: Proxy for Outlook on the Web

A reverse proxy allows access from the Internet to an internal web server. The reverse proxy for OWA can be used to make an Exchange Server accessible via browser. Currently the abbreviation OWA stands for “Outlook on the Web”. The Exchange server function is also known under its previous names “Outlook Web App” or “Outlook Web Access”. The new function is available as of Exchange 2019 and can be found under Network -> SSL VPN. The function is included in the SSL VPN add-on module. Z-Push and Proxy for OWA cannot be operated in parallel.

Mail: DKIM for outgoing mail

Starting from this version, the additional filtering method DomainKeys Identified Mail (DKIM) for the spam filter is also available for outgoing e-mails. The spam filter can already rate incoming emails based on their DKIM signature. Now outgoing e-mails can also be provided with a DKIM signature. The recipient can then check whether the mail domain of the sender is in the possession of the sender and that it is not a forged mail address. To be able to check the signature, the public key must be stored in the DNS. For this purpose, a text file can be created on the administration interface, which can be used for configuration at the DNS provider of the mail domain. The dialog is located under Mail and Messaging -> Spam -> Reputation Services.

Mail: Reject external mails with local domain

This setting can be used to prevent incoming e-mails from external domains from faking the sender. Only e-mails with a sender address from one of the local e-mail domains will be accepted, if they originate from an internal network. Internal networks are all networks that are included in a network group, that have the Mail Relay permission. With this option, external e-mails from supposedly internal senders are rejected. The option is located in the Mail and Messaging -> SMTP Receive -> Options dialog.

Collax Central: Feature Offensive

With Collax Central, you have an overview of all Collax servers at all times. This makes administration much easier. Thanks to active system monitoring, Collax Central indicates impending problems early on and offers an effective tool for efficient and fast administration. This is where all the information comes together. Problems in a large server landscape can be detected at a glance. Sporadic and regular maintenance tasks are quickly completed.

Based on feedback, we have introduced three new features for Collax Central:

Summaries: A regular summary can be set up via email. Last but not least, it can be used to ensure the operational readiness of Collax Central. The summaries can then be used to decide whether missing messages mean that there are no problems or indicate that the mail traffic itself is disturbed.

All-clear: Some reported problems can be assumed to be temporary in nature. They do not require any intervention, but it is helpful that Collax Central now sends an all-clear message when the problem no longer exists.

Link status: A new box has been added to the Collax Central interface. It contains an overview and the status of the server’s links.

System Management: Linux Kernel 5.10.128

With this update the Linux Kernel 5.10.128 is installed.

GUI: Modernized warning and dialog windows

This update modernizes the GUI warning and dialog boxes. As a cherry on top, the error dialog now has a “Copy to clipboard” button to make it easier for administrators to copy information.

System-Management: RAID status monitoring on Broadcom controllers

With the introduction of the Broadcom 95xx MegaRAID controller family a change of the management tool from “megacli” to “storcli” became necessary. Please note that the output of the messages of the monitoring (Nagios) will change as a result. With the new check, the temperatures of the controller, the disks and the cache buffering unit (BBU or CacheVault) are now also monitored. If the threshold temperatures are exceeded, the administrator is informed.

Security: Important security-relevant system packages

Security vulnerabilities have been discovered in the source code of important system packages. These are closed with this software update. Enclosed is an excerpt of the most known packages and CVE numbers.

The fix refers to the following CVE numbers

Open Source Virus Scanner ClamAV 0.104.3 CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796

Download tool Curl 7.83.1 CVE-2022-22576 CVE-2022-27775 CVE-2022-27776

Web server Apache 2.4.54 see here

Database server MariaDB 10.5.16 see here

DNS server Bind 9.16.28 see here

OpenSSH 9.0p1 see here

Scripting language PHP 7.4.30 see here

Problems fixed in this version

Certificates: CSR

Certificate Signing Requests (CSR) are used to submit data from the server to the certificate issuer (CA) to obtain a publicly signed SSL certificate. Due to an error when importing the signed keys in the GUI, the private key could not be correctly assigned to the CSR. This is fixed with this update.

Let’s Encrypt: Export with hyphen in the name

Let’s Encrypt is a certificate authority that offers free X.509 certificates for SSL encryption. With the Collax Let’s Encrypt module, the otherwise usual manual procedures are simplified by an automated process. If the name assigned to the certificate in the graphical user interface contained a hyphen and the certificate was to be exported, this failed. This is fixed with this update.

VPN: IKEv2 - multiple assigned virtual addresses

For VPN dial-up connections (RoadWarrior connections) with user authentication of type IKEv2, it could happen in rare cases that after a provider forced disconnection virtual IP addresses were assigned more than once on the dial-up side. This error is solved by using an Acct-Session-Id attribute and does not occur anymore.

GUI: Automatic logoff Admin GUI

Under User Policies -> Administrator, an automatic logoff from the system can be configured. However, due to an error, this was not detected correctly, so administrators were not logged off. This behavior has been corrected.

Notes

VPN: Fix for IKEv2 with Microsoft Windows breaks after 7.6 hours.

VPN connections with IKEv2 and Microsoft Windows’ on-board means are interrupted after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during the IKE re-encryption than during the first connection. The problem can be solved with a registry fix by changing changing the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set.

At the following link you can find a REG file (registry entry) that adds the registry key. Collax assumes no liability for system errors resulting from this.