2022-07-11 - sympl-firewall critical update

Kelduum · 11 July 2022 16:48

While investigating and resolving a longstanding bug with Sympl (which looks to go back to Symbiosis), I discovered a particularly unpleasant bug with the way sympl-firewall handles DNS resolution for whitelist and blacklist entries, which could lead to the firewall becoming misconfigured and causing a denial of service.

I’ve pushed an update out for it as sympl-firewall versions 10.20220711.0 and 11.20220711.0 (for Buster and Bullseye respectively).

Users with Managed Mythic Beasts servers running Sympl have been updated as part of the 0-day process, but this should be automatically applied to non-managed servers in the next 24 hours by sympl-updater.

I’d rather not go into more details for now, in order to allow everyone to get up to date, but it’s worth noting that Sympl Stretch and all versions of Symbiosis are affected by this bug, with Symbiosis potentially being significantly more exploitable.

tricky · 12 July 2022 09:23

Edited: thought it looked like the issue had affected one of our servers, but with a quick chat with @Kelduum think i’ve pieced together that the issue was - i’ll skip discussing in detail given updates are being rolled out, but certain it wasn’t an external exploit of the bug

compassweb · 17 July 2022 08:11

Further to this topic, I’ve been receiving the hourly messages below for the past few days. [ -x /usr/sbin/sympl-firewall ] && /usr/sbin/sympl-firewall

Warning: Unable to resolve ‘www.easyphpcalendar.com’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve 'https://theme-fusion.com’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve 'https://updates.theme-fusion.com’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve ‘https://build.envato.com/api/’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve ‘build.envato.com/api/’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve 'https://api.twitter.com’ to an IP address. Falling back to 127.9.1.1. Warning: Unable to resolve ‘https://my.elementor.com/subscriptions/’ to an IP address. Falling back to 127.9.1.1.

Do I need to run an update?

Kelduum · 17 July 2022 09:02

You have those addresses and URLs configured, likely as whitelists and blacklists - Sympl doesn’t support whitelisting URLs, only domains, and it appears some of them no longer have addresses.

Symbiosis and versions of sympl-firewall previous to x.22020711.0 mishandled addresses and other items not resolved in DNS, which meant whitelist and blacklist entries will have not worked as expected.

You’ll want to remove the https:// where it’s there, and drop any paths (e.g. /api) from what you have configured, as those are invalid - at that point, you should stop getting the warnings.

compassweb · 2 August 2022 17:00

Hi Paul,
Sorry it’s taken a while to revert. I have those addresses listed in

/etc/sympl/firewall/outgoing.d/50-reject-www-data

So yes whitelisted to facilitate automatic updates. All was working fine until recently.

Kind regards Pete

Kelduum · 4 August 2022 15:59

I’ve messaged you prviately, but as mentioned, those lines are invalid for that file.

Also, 50-reject-www-data was retired in the last version of Symbiosis
five years ago, as it breaks IPv6 compatibility and when operating normally it causes more problems than it actually solves leading to a significant number of compromised servers as they couldn’t update.

There has been no support for it in this or any version of Sympl, and functionality still exists only as legacy code.

Instead, Sympl properly secures PHP and the directory structure to prevent sites from being compromised in the first place, instead of attempting to prevent them from connecting to other sites.

Kelduum · 12 August 2022 11:45

It looks like the vast majority of Sympl Stretch servers have been upgraded, and theres been plenty of time for someone to update, so it’s worth detailing the issue now.

sympl-firewall (and symbiosis-firewall) can take a list of domains in the blacklist, whitelist and other files, to allow you to filter on hostnames, which can be handy for CDNs.

It turns out that the code which managed this didn’t fail-safe when passed invalid data, and instead of returning an IP address, returned a null value to apply to the filtering.

This in itself wouldn’t be a problem, but in addition, the code which handles that input accepts it as valid, and then whitelists/blacklists all hosts, so whitelisting invalid data will end with everything whitelisted (which negates the point of a whitelist), and blacklisting had the effect of blacklisting all IPs, which can, of course, lead to significant issues if your address isn’t whitelisted.

This was fixed in Sympl 10 and 11 (on Debian Buster and Bullseye) but remains un-fixed with Symbiosis.

With Symbiosis this is a more significant issue as theres very little security protection with PHP, so a compromised site could potentially do things like open firewall configurations or drop the firewall fully, allowing direct unencrypted access to things like MySQL.

As before, as development for Symbiosis was halted with the release of the new EOL Symbiosis Stretch, no sign of any further development, we urge all Symbiosis users to migrate to Sympl as soon as possible.

As always, of anyone has any questions, feel free to post here or message me privately.