Hello all…
Is this real ?
Here’s more info
Should we worry about this ? Is there a patch to correct this ?
Thanks
It has been fixed in Core Update 157 which was released on Monday this week. The announcement mentions this security vulnerability and the bug.
https://blog.ipfire.org/post/ipfire-2-25-core-update-157-released
2 Likes
Ok, thanks for the answer…
It’s perfect 
Hi,
while Adolf already answered your question, I cannot resist to add some thoughts. 
First of all: Yes, this is a security vulnerability, and we are thankful to got informed about it.
While I am usually not the one who downplays security issues, I think it is important to stress the “authenticated” bit in the vulnerability description. In order to conduct the attack, it is necessary for the attacker to know the login credentials to ones’ IPFire machine - which is still a significant hurdle in real life.
So, if IPFire users follow good security practices, especially for the systems they use for logging onto their IPFire machines (see this blog post for some ideas), they were relatively safe from CVE-2021-33393. This includes having a good firewall ruleset in place, and not exposing IPFire’s web interface or SSH server to the internet.
Sadly, the latter is not true for everyone: As of today, Shodan still lists 1,281 IPFire machines having their web interface exposed. Assumed their admins do not care about security as much as they should, these systems might be a more easy target indeed. 
Thanks, and best regards,
Peter Müller
2 Likes
But doesn’t that mean they must have put a firewall rule in place to allow access to the web interface from the internet!!
2 Likes
The attacker also needs to be authenticated to the web user interface. At that stage, they already have full control over the system which makes the vulnerability less interesting.
1 Like
I was just surprised that there are so many people that expose their firewall admin interface to the internet. Surely that is what VPN is for.
2 Likes