CVE-2025-34311
📋 TL;DR
This CVE describes a command injection vulnerability in IPFire firewall software that allows authenticated attackers to execute arbitrary commands as the 'nobody' user when creating proxy reports. The vulnerability affects IPFire versions before 2.29 (Core Update 198) and requires authentication to exploit.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation from 'nobody' user to root, allowing complete control of the firewall appliance and potential lateral movement to internal networks.
Likely Case
Unauthorized command execution leading to data exfiltration, installation of backdoors, or disruption of firewall services.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent unauthorized access to the web interface.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. The vulnerability is well-documented with specific parameters identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: Yes
Instructions:
1. Log into IPFire web interface. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Reboot the system when prompted.
🔧 Temporary Workarounds
Disable Proxy Report Creation
linuxTemporarily disable the proxy report creation functionality to prevent exploitation.
# Remove execute permissions from calamaris.dat script
chmod -x /var/ipfire/proxy/calamaris.dat
Restrict Web Interface Access
linuxLimit access to the IPFire web interface to trusted IP addresses only.
# Add firewall rule to restrict web interface access
iptables -A INPUT -p tcp --dport 444 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 444 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the IPFire web interface.
- Disable the proxy reporting feature entirely until patching is possible.
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface (System > About) or command line: 'cat /etc/ipfire-release'Check Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version is 2.29 or higher and Core Update 198 is applied. Check that 'cat /etc/ipfire-release' shows 'IPFire 2.29 - Core Update 198' or later.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/logs.cgi/calamaris.dat with shell metacharacters in parameters
- Unexpected command execution by 'nobody' user in system logs
Network Indicators:
- HTTP POST requests to the proxy report endpoint containing shell metacharacters like ;, |, &, $, or backticks
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/logs.cgi/calamaris.dat" AND (POST_param="DAY_BEGIN" OR POST_param="MONTH_BEGIN" OR POST_param="YEAR_BEGIN") AND POST_value MATCHES "[;|&$`]"