VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS 1.4.1 release

Daniil Baturin
Posted 20 Dec, 2024

Hello, Community!

VyOS 1.4.1 release is now available to customers and community members with contributor subscriptions. Its source code is available as a tarball upon request to everyone who legitimately received a binary image for us.  Fixes for CVE-2023-32728 (Zabbix agent SMART plugin RCE) and CVE-2024-6387 (regreSSHion) that were already available as hotfixes are integrated in the image, and there is a fix for a potential DoS in the HTTP API caused by a vulnerability in the python-multipart library (CVE-2024-53981). This release also includes multiple bug fixes and a few improvements, including support for Base64-encoded IPsec secrets, VXLAN VNI to VLAN range mappings, reject routes, and more — read on for details!

Release structure change — update ISOs are now available for every platform

Previously we had a generic ISO image that could be used for installing VyOS on bare metal and for updating various kinds of systems via add system image <ISO URL>, including KVM and VMware VMs, Google Cloud and Oracle cloud instances, and more. That structure always raised a lot of questions from users what image type they should use for a particular system. For Microsoft Azure, we always had a special update image, for Amazon Web Services we added it later, and for everything else we recommended the generic image. However, there is no reason to complicate things — update procedures should not require any reasoning about compatibility.

Now there is an update ISO for every platform, local and cloud alike. The generic ISO no longer contains any VM or cloud guest agents and is meant for use on bare metal. For updating KVM instances, you will find a KVM ISO with just qemu-guest agent built-in and no agents for other hypervisors that do not bring any benefits to a KVM guest — ditto for other platforms. From now on, the general rule is that if we support a platform, there will be a targeted image for it (OVA, qcow2, vhdx...) and an ISO image that you can use for updating already deployed instances.

Source code access is upon request

As we already announced earlier, from this release, source code of LTS branches is no longer publicly available on GitHub. That does not make VyOS any less free (as in freedom) software —the source code is available to everyone who legitimately obtains a binary image, exactly as the GNU GPL requires. That includes customers and community members with contributor subscriptions.

The rolling release is hosted in public repositories and open to contributions, as usual, and if you actively participate in its development and testing, you may already be eligible for a contributor subscription!

EULA update

We have updated the LTS image EULA to reflect changes in VyOS entities, make it more comprehensive, and clarify the terms. You can find it inside the image in /usr/share/vyos/EULA (or use the show license command) or read it online.

Security

This release includes fixes for vulnerabilities that were previously available to customers as hotfix packages:

  • CVE-2023-32728: Remote code execution in Zabbix agent via SMART plugin.
  • CVE-2024-6387 (regreSSHion): remote code execution in OpenSSH server.

In addition to those, there is a fix for a new issue:

  • CVE-2024-53981: DoS in python-multipart (used by the HTTP API server).

New features

Here are some of the features we added in this release.

Base64-encoded IPsec secrets (T264)

There was a long-standing limitation that affected some IPsec users. IPsec secrets are simply sequences of bytes so they can contain values that correspond to any ASCII characters... or not correspond to any characters from the ASCII standard and have no printable representations.

However, VyOS is pretty strict about characters it allows in configuration node values. Some notable character that cannot appear in values are single and double quotes, so you cannot do something like set vpn ipsec authentication psk Galway-HQ secret "Mister O'Connor".

Before VyOS 1.4.1, if the router of the hypothetical Galway-HQ peer wanted to use "Mister O'Connor" as a pre-shared key, all you could do was to ask them to use something else.

Now it is possible to enter Base64-encoded secrets in the config, so character restrictions are easy to work around.

set vpn ipsec authentication psk Galway-HQ secret-type base64 
set vpn ipsec authentication psk Galway-HQ secret 'TWlzdGVyIE8nQ29ubm9yCg=='

The current syntax is a compromise that we had to make to ship the feature in a maintenance LTS release where we cannot make syntax changes. In future releases we may make an encoded secret a separate node and add a migration script — let us know if you like this syntax or have other ideas for it.

VXLAN VNI to VLAN mapping (T6505)

It is now possible to configure VLAN to VNI mapping in VXLAN tunnels:

set interfaces vxlan vxlan1 vlan-to-vni 2-4094 vni 10002-14094

DHCP lease removal command

We used to have a command for forcibly releasing DHCP server leases long ago, and eventually removed it because its lease file mangling did not work reliably and could not be made to work reliably, especially in high-availability setups. Now there is a new implementation based on the ISC DHCP server's OMAPI calls. From our testing, it is reliable enough, at least in single-server setups. The new command is:

run release dhcp server <address>

Reject routes (T4283)

VyOS has supported blackhole routes for a long time, that make the system silently discard traffic to certain destinations.

Now it is also possible to create routes that make the system notify the sender (with an ICMP destination host/net prohibited message) instead of dropping it silently.

set protocols static route 203.0.113.0/27 reject

If you want to protect a host from an ongoing DoS attack or block a known malicious host (e.g., to prevent malware on infected hosts from contacting its command and control nodes), blackhole routes are perfect; but if you null-route something as a matter of internal policy, these new reject routes make it a lot easier to find out why a host is unreachable.

New operational mode commands for QoS (T6452)

There were a few operational commands for QoS that, arguably, should have always existed but did not exist. Now they do:

show qos shaping detail
show qos shaping interface <int name>
show qos shaping interface <int name> detail
show qos shaping interface <int name> class <class name>
show qos shaping interface <int name> class <class name> detail
show qos cake interface <int name>

Changelog

Finally, here is the complete changelog for this release.

Security

  • T6776: zabbix-agent affected by CVE-2023-32728 (RCE via S.M.A.R.T. plugin)
  • T6783: Update vyos-http-api-tools for package Starlette security advisory
  • T6935: Update vyos-http-api-tools for package python-multipart security advisory

New features and improvements

  • T6362: Add a conntrack/translations logger daemon
  • T6424: ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate
  • T6452: Add missing QoS Op Mode Commands
  • T6454: Explicitly set the default reverse proxy mode to HTTP
  • T6462: wireless: add op-mode command for hostapd and wpa_supplicant logs
  • T6477: Adding Loki plugin to Telegraf
  • T6500: openconnect: add support for new multi ca-certificate CLI node
  • T6505: Support VXLAN VLAN-VNI range mapping in CLI
  • T6537: Include hostname in the reboot/shutdown warning messsage
  • T6538: Allow adding a geneve interface to the vrf.
  • T6539: Add logging options to load-balancer reverse-proxy
  • T6555: Add server-bridge options to OpenVPN server
  • T6561: show ntp is not vrf aware
  • T6566: op-mode: "monitor bandwidth" add support for listing all interfaces concurrently
  • T6575: op-mode: ntp: add support for NTP service restart via CLI
  • T6576: op-mode: ntp: add support for NTP service restart via CLI
  • T6599: ipsec: support disabling rekey of CHILD_SA
  • T6668: op-cmd: show mac-sec details encrytion info
  • T6681: IPv6 SLAAC: Option to suppress Interval advertisement on RA packet
  • T6693: WiFi: Enable WiFi6 (IEEE 802.11ax) for 2.4GHz AccesPoints
  • T6701: Add support for disabling built-in DNS for containers
  • T6727: lldp: missing input validation for interface names
  • T6751: Missing Well Known Communities in Command Completion
  • T6759: Add additional languages as keyboard-layout
  • T6875: Make it possible to release an 'active' IP address from DHCP server leases
  • T6908: Avahi: add option to define mdns-repeater max-cache entries

Bug fixes

  • T6332: IPv6-only ISIS (or, in general, dual topology) is not working with other devices running frr
  • T6379: "generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients
  • T6401: Attempts to delete vlan-to-vni option causes an unhandled exception
  • T6407: ipsec profile generation error
  • T6425: WiFi: Beamformer support for 802.11ac (VHT at 5GHz) is broken
  • T6429: bug - isis metric-style not applied configuration
  • T6431: monitor traceroute broken VRF support
  • T6453: GRUB variables with = in a value are parsed improperly
  • T6460: Showing DHCPv6 leases can fail due to DUID parsing issues
  • T6463: reverse-proxy: service not reloaded when updating SSL certificate via PKI
  • T6464: sstpc: interface not restarted when updating SSL certificate via PKI
  • T6473: bgp: missing completion helper for peer-groups inside a VRF
  • T6475: WALinuxAgent crashes in Azure
  • T6480: PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem
  • T6484: Smoketest fails: fastnetmon killed due to OOM
  • T6486: Generate openvpn client-config ignores configured protocol type
  • T6503: Command 'restart ssh' not working
  • T6519: interfaces: 20-to-21 -> migration fails if new system has less ethernet interfaces
  • T6523: Error: "nft table ip vyos_filter not found" when commiting prometheus-client
  • T6536: Config migration does not work as expected when update from 1.3.2 to 1.4.0 (with NAT with wildcard and sysctl parameters)
  • T6544: vyos_net_name locking logic is broken
  • T6559: vyos-configd should return commit error on config dependency error
  • T6578: Unhandled exception in "show openconnect-server sessions"
  • T6584: Revert addition of Linux Kernel MT7921 driver
  • T6592: Changing VRF on interface fails
  • T6593: Release DHCP interface does not work
  • T6594: IPoE-server extended-scripts do not work
  • T6597: wireless: hostapd occationly gets deactivated via systemd and causes loss in connectivity
  • T6600: ospf: smoketest "router ospf' not found in" for ldp sync
  • T6602: interfaces: verify supplied VRF name on all interface types
  • T6603: vrf: nftables conntrack ct_iface_map contains multiple identical entries
  • T6605: ConfigError() behavior is wrong with running vyos-configd
  • T6610: Missing minisign pub key from image
  • T6617: ipsec: remote access VPN: "generate ipsec profile ios-remote-access" wrong profile for x509 auth
  • T6618: ipsec: remote access VPN: "generate ipsec profile windows-remote-access" broken
  • T6626: show dhcpv6 server leases fails
  • T6638: QoS CAKE config with PPPoE interface does not load after reboot
  • T6642: verify_interface_exists should not instantiate its own Config object
  • T6643: IP Address range in firewall rules throws error
  • T6646: 1.3.8 to 1.4.0 config migration fails due to conntrack ignore rule
  • T6658: Fix typo in write_file util
  • T6667: Problems with simultaneous usage of multiple vtysh processes
  • T6671: Confid dependency works incorrectly for conntrack and conntrack-sync
  • T6672: ssh-client source-interface CLI option failing with traceback
  • T6676: Invalid route-map caused bgpd to crash
  • T6682: show vpn ike sa peer always shows all SAs
  • T6702: Podman 4.9.5 is missing "podman.sock" service socket
  • T6715: date: manually changing time/date is not synced into hardware clock
  • T6719: syslog: fix the behavior of syslog global preserve-fqdn
  • T6757: Source address for RADIUS auth is not working in OpenConnect server
  • T6858: syslog: remote syslog broken after "add format option to include timezone in message"
  • T6860: Display the EULA in "run show license"
  • T6865: DHCP server op-mode sometimes does not show leases
  • T6866: babel: can not set IPv6 distribution-list in access-list6 format
  • T6878: The conntrack logger daemon continues running after its configuration is deleted
  • T6911: VyOS fails to commit if all elements of NTP service configuration are deleted
  • T6912: Build package script misses dependencies
  • T6920: multicast: static multicast routing throws TypeError
  • T6923: Debian security repository URLs are not overwritten correctly in the image build script
  • T6937: Schema generation broken in 1.4.1 due to missing import in op-mode script

Other resolved issues

  • T6423: Require command definition nodes that have an owner to also have a priority
  • T6446: Display the support URL from image build data in LTS builds
  • T6471: Add an optimized get_config_dict for op-mode
  • T6524: Rewrite "release dhcp interface <interface>" to Python to drop remaining Perl dependencies
  • T6598: Unexpected podman version 4.3.1
  • T6614: Initial support for smoketesting op-mode commands
  • T6653: Generate a build/manifest.json file after assembling the image(s)
  • T6859: Include EULAs in build type definitions
  • T6877: Add a script for merging flavor files
  • T6879: Add a build procedure for amazon-cloudwatch-agent
  • T6903: Make vyos-1x repo URL in vyos-build a configurable parameter

That is all for now but stay tuned for updates — we will have more news to share soon!
The post categories: ipsec qos release security 1.4

Comments

Blog Categories

RSS Feed arrow
See All Categories