Skip to content

v1.4.4 - Security Patch
Compare
Choose a tag to compare
@NHAS NHAS released this 29 Oct 08:45
· 595 commits to main since this release
v1.4.4
3f83561

This update resolves an inconsistency in the XDP firewall that would have resulted in network hosts being unintentionally exposed in with specific configurations.

Patching

This will require a full restart of wag (not just a hot upgrade) as the change is in the XDP firewall itself.

Description

If a public allowed route also matches an MFA route, the public route would be used if the user was not authorized, effectively meaning that the user would always be able to access the host/network.

Example Vulnerable Configuration

In the following configuration, a user would have always had access to the 10.0.0.0/24 network, regardless of MFA status. This is not intended.

 "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "10.0.0.0/24"
                ],
                "Allow": [
                   "0.0.0.0/0"
                ]
            }
        }
    }
Assets 3
Loading