Good morning,

Today we are fixing a security issue involving the "installer" user and kernel-based TCP panics that some have been fighting with since FreeBSD 13. Some ports and plugins have also been updated now that the holiday season is coming to its inevitable end.

The security issue arises on fresh 22.7 installs only due to a boot-time optimization of user account handling since 22.1.8. Users are not reset on each boot anymore which improved boot times with many users but also made the "installer" user stick with the default password in this situation. Physical access to the console with this user was possible under these conditions even after installation and updates were completed. SSH access was also possible when both not restricting login to keys and allowing root login manually. The mandatory reboot after the update to 22.7.5 or higher remedies this problem.

In a default install the issue could only be exploited by manual console access. In general we want to advise users not to yield shell/console access to non-administrators, restrict physical access if applicable, and not offer SSH access based on user accounts, especially when SSH is accessible from the WAN side without a VPN.

In any case we recommend all users of 22.7.x to update immediately or take the necessary precautions to avoid the "installer" user from being accessed in an unauthorized fashion.

Here are the full patch notes:


Stay safe,
Your OPNsense team