Business Edition pf CVE-2026-7164

Started by wirehire, April 30, 2026, 03:40:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 30, 2026, 03:40:21 PM
Hey,

i saw that the community edition are become the fixes for several cve. What are with the business edition? give it the patches for 25.10 and for 26.4?

like CVE-2026-7164

greets
April 30, 2026, 04:53:27 PM #1
If the day had 32 hours things would be different but for now we have to settle for a business fix for tomorrow.

This is our usual strategy to start fixing community and then move to business and due to surprise timing coupled with lots of changes in critical areas (OS in particular) it isn't good to not follow the good strategy.


Cheers,
Franco
April 30, 2026, 08:25:13 PM #2
Franco, I really appreciate your work! There's no question about that. The only question was how critical this vulnerability is, and it currently appears that it doesn't need to be patched immediately. Is that correct?
April 30, 2026, 09:06:57 PM #3
Quote from: wirehire on April 30, 2026, 08:25:13 PMThe only question was how critical this vulnerability is, and it currently appears that it doesn't need to be patched immediately. Is that correct?

The most critical one in the latest lot is CVE-2026-7270, IMHO. Privilege escalation through execve(2). But since in the context of OPNsense we would need a remote code execution or a malicious actor with a shell account, first, I think it can safely be ignored for a couple of days.

CVE-2026-7164 can IMHO equally be ignored unless you have specific rules allowing IP protocol 132 (SCTP). Check your rule set for rules that do not specify the protocol explicitly as TCP, UDP or ICMP but use "any" instead. These are susceptible to a DoS attack. You might want to replace "*" with "TCP/UDP" if applicable.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 30, 2026, 10:58:47 PM #4
Quote from: Patrick M. Hausen on April 30, 2026, 09:06:57 PMCheck your rule set for rules that do not specify the protocol explicitly as TCP, UDP or ICMP but use "any" instead. These are susceptible to a DoS attack. You might want to replace "*" with "TCP/UDP" if applicable.

Thank you Patrick for pointing this out
Today at 12:47:18 AM #5
Something the Fortinets had that was rather nice was "session-helper" (ALG or protocol parsing) control - you could enable specific ALGs by protocol and port. (Interestingly, I don't see SCTP in my old config template.) Killing the SCTP ALG might be of limited use, though.
Print
Go Up Pages1
User actions