[ixpmanager] [RELEASE] v6.3.0 - Security hardening, with various improvements and bug fixes

Barry O'Donovan (INEX) barry.odonovan at inex.ie
Wed Nov 2 11:57:23 GMT 2022 

We are pleased to announce the immediate availability of IXP Manager v6.3.0.

A commercial IT consultancy provider uses IXP Manager in one of their 
solutions. They had their overall solution reviewed by an 
internationally respected cyber security and risk assessor. This review 
included IXP Manager and the commercial IT consultancy responsibly 
disclosed all of the issues and advice related to IXP Manager to us.

These have been addressed in this release and are itemised via the URL 
below. We recommend all IXPs that use IXP Manager upgrade to this new 
version.

We thank the IT consultancy, and those within it whom we have been 
dealing with, for sharing the findings with us.

Full details are available at:

https://github.com/inex/IXP-Manager/releases/tag/v6.3.0


Additional note regarding the security updates:

For the most part, these relate to the trade-off between user friendly / 
assumed user intelligence behaviors versus security best practices. We 
should of course strive towards security best practices in the modern 
cyber-security era. Much of what was reported relates to hardening the 
system and reduce avenues for brute force attacks (e.g. username 
discovery via iteration and then brute force access via use of 
simplistic passwords).

Our general advice for user accounts with superuser privileges (i.e. 
priv level 3 / IXP staff) is:

* Enforce 2fa for admin users - see 
https://docs.ixpmanager.org/usage/authentication/#two-factor-authentication-2fa
* Ensure all admin users are trained in basic account security / 
cyber-security best practices.
* Ensure all admin users user a secure password (now enforced for new 
passwords).
* Ideally, you should be using a secure password manager and not 
repeating passwords across different sites.
* Ensure SSL is enabled and enforced for your IXP Manager installation 
with a signed certificate.

Some of the other issues found include:

* The document store allows any kind of document to be uploaded. We note 
this here: https://docs.ixpmanager.org/features/docstore/#notes-limitations
* The possibility of 'chaining' issues to gain access to an account via 
brute force (e.g. the username enumeration and simplistic password chain 
mentioned above).
* The availability of phpinfo() to admin users and specifically the 
availability of the HTTP cookie. This is not an issue as the cookie is 
actually encrypted but we now disable this in production environments 
with on screen instructions on how to enable it.
* A couple specific XSS issues that we had missed in our own exhaustive 
review of these.
* Some small bugs now also fixed.


Thanks,
  - Barry



-- 

Kind regards,
Barry O'Donovan

More information about the ixpmanager mailing list