Release Notes CSG 7.1.2

Collax Security Gateway
06.05.2019

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Security: DNSSEC validation

DNSSEC can be used to verify the authenticity of the queried DNS server and the integrity of its response. This option should be enabled to protect against attacks with incorrect DNS responses. This dialogue is located under Network -> DNS -> Options.

GUI: New design User Web Access

Within the user web access users of the Collax Server have access to applications like web-mail, mail-archive, SSL-VPN and groupware or shared documents. From this update on the web access uses up-to-date technology with a new and improved layout.

Collax Advanced Networking: Improved Brute Force Protection for SMTP Password-Scanners

Basically, in an SMTP authentication, the password is transmitted in plain text and could be tapped. Secure, encrypted transmission of the password is only possible when activating TLS (Transport Layer Security). This option can be used to ensure that the SMTP service authenticates only when TLS is enabled. SMTP password scanners ignore the missing “AUTH” option in the EHLO response and still try authentication without TLS, which is not “normal” logged. These scanners do not even try it with TLS, which would lead to the erroneous login messages. This release adds a new filter that detects these types of attacks and protects the system from them.

Use IKEv2 for outgoing IPSec connections

For outgoing IPsec VPN connections, this option can be used to specify that IKEv2 is used instead of IKEv1. This option is only available for “IPsec VPN” type links and when “Connection method” is set to “always” or “on demand”.

System Management: Analytics - Sends anonymous usage data to Collax for product improvements

With this update, a mechanism is implemented to transfer important data for further product development. For the life cycle of a product and its functions, it is important to obtain information about its use. The collection of analytic data is a powerful tool for product development. The diversity of the functions of a Collax server in particular requires well-founded weighing. Frequently used functions should be given greater focus for further development. In the case of few or unused functions, it must be checked whether and how they can be replaced. The goal is to use development resources as sensibly as possible.

No user-related data will be transferred. Also no data that allows a user reference (such as IP addresses). Collax stores the data anonymously and does not pass it on to third parties.

For paid-licensed Collax servers, the transmission can be switched off. The complete data record can be viewed on the administration interface.

System Management: Renew X.509 certificates

Certificates according to the X.509 standard are managed on the Collax Server. Only certificates created on this server can be renewed. The existing certificate will be replaced by a new certificate. The original certificate is removed. It is possible to change the runtime, the e-mail address, the DNS alias names or the comment. The Private Key and the Public Key are taken from the original certificate. All signed certificates remain assigned to their CA.

System Management: Linux Kernel 4.9.171

This update installs Linux kernel 4.9.171.

Changelog

Hardware: Additional hardware support for Intel network cards.

This update will add more network cards with the ixgbe Intel driver version 5.5.5, igb intel driver version 5.3.5.22, the i40e intel driver version 2.7.29 and the e1000e Intel driver version 3.4.2.4. The current status can be found in the Hardware Compatibility List.

Issues Fixed in this Version

Security: Internet Domain Name Server BIND

In the source code of the internet domain name server BIND security holes have been discovered. These holes will be closed within this Collax software update to bind 9.11.5-P4

CVE-2018-5740 / CVE-2018-5738 / CVE-2018-5744 / CVE-2018-5745 / CVE-2019-6465

Security: Remote Login Program OpenSSH

In the source code of OpenSSH security holes have been discovered. These holes will be closed within this software update to OpenSSH 7.9p1

CVE-2018-15919 / CVE-2018-20685

Security: MySQL Administration phpmyadmin

In the source code of the MySQL administration phpmyadmin security holes have been discovered. These holes will be closed within this Collax patch update of version phpmyadmin 4.8.5.

Assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2019-6799 / CVE-2019-6798 / CVE-2018-19968 / CVE-2018-19969 / CVE-2018-19970

Security: Transfer Tool Curl

In the source code of the transfer tool curl security holes have been discovered. These holes will be closed within this Collax software update to curl 7.64

CVE-2018-16890 / CVE-2019-3822 / CVE-2019-3823

Security: Webserver Apache

In the source code of the webserver Apache security holes have been discovered. These holes will be closed within this Collax software update to curl 2.4.39

CVE-2019-0211 / CVE-2019-0217 / CVE-2019-0215 / CVE-2019-0197 / CVE-2019-0196 / CVE-2019-0220

E-Mail: Fixed MIME filter behaviour

Emails often contain unwanted or dangerous content that should not be delivered to users. Due to an error in the handling of regular expressions, it was possible that emails were filtered. For example. A MIME filter for the file extension “.com” could cause the body contained in the e-mail passage “domain.com” was erroneously recognized. The regular expression has been adjusted and corrected within this release.

Net: Connection monitoring

The behavior of the “linkd4” program in some situations has been improved. Among other things, the reconstruction of VPN connection and their routing tables and the extended link monitoring were improved. An error related to link restarts via GUI has been corrected.

Collax SSL-VPN: SSL-VPN: Access to Reverse-Proxy

A reverse proxy allows access from the Internet to an internal web server. For this purpose, a web page or web application that is otherwise only accessible in the local network can be made accessible for selected user groups in Web Access. The data is re-encrypted and transmitted via SSL, even for unencrypted HTTP pages. The reverse proxy has been completely redesigned with this release.

Collax SSL-VPN: SSL-VPN: Importable users

The SSL-VPN “Connection” feature allows remote access to a desktop or console in the local network from the webaccess. Due to a bug, the groups imported from the user management of an Active Directory could not get their SSL VPN connections displayed. This is fixed with this release.

VPN: Compression

When compression is enabled for a SA, some packets (f.e. icmp echo request) get lost. This patch writes compression = no into all connections. Note though that, according to the Pluto documentation, compression will still be enabled when the peer requests it.

VPN: MD5 encryption

The encryption algorhithm MD5 is used in VPN tunnels. In current StrongSwan this encryption method causes errors in the service and the VPN tunnel crashes. For that reason this method can’t be chosen for VPN links on Collax Server anymore. As an alternativ the method SHA1 can be chosen. Please note that the encryption method needs to be changed and the other VPN gateway modified.

VPN: Connections with Key Exchange SHA2 (256 Bit)

VPN connections using the hash algorithm SHA2 (256 Bit) during key exchange (IKE) could not work anymore after Upgrade to Version 7 if the vpn partner is still using an Collax Version 5. You should either upgrade to Version 7 or adapt the IPSec proposal using a stronger algorithm on both sides, for example SHA2 (384 Bit).

Notes

E-Mail: Collax Virus Protection powered by Kaspersky prior Version 7

Version 7 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.0 will be available until December 31, 2017. From 01.01.2018 Kaspersky will not update the patterns for Collax version 5 and older. All installations using the Collax Virus Protection module should therefore, be brought up to date.

E-Mail: Collax Avira AntiVir prior Version 7.0.24

Version 7.0.24 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.24 will be available until December 31, 2018. From 01.01.2019 Avira will not update the patterns for Collax version 7.0.22 and older. All installations using the Collax Avira AntiVir module should therefore, be brought up to date.

Collax Information & Security Intelligence: Modified mapping of the indices

When updating Elastic Stack to 6.4.0, the mapping of the indexes was changed. This prevents Filebeat to write the data to the same index before and after the update. Therefore, after the update has been performed, the resulting data will no longer be included in the index. From 0:00 clock on, Elastic Stack will create a new index and all data from this point will be written again to the index. The data between the end of the update and midnight will be lost. If it is better to renounce to the data before the update, from 0:00 until the end of the update, the index for the current day can be deleted after the update via the administration interface. Then all data will be lost after 0:00 and the deletion of the index.

Collax Information & Security Intelligence: Schema change

A schema change in Release 7.1.0 requires that the elastic stack and beats be updated at the same time. To do this, update the server with the elastic stack and the server with the filebeats one after the other.