This update resolves an inconsistency in the XDP firewall that would have resulted in network hosts being unintentionally exposed in with specific configurations.
Patching
This will require a full restart of wag (not just a hot upgrade) as the change is in the XDP firewall itself.
Description
If a public allowed route also matches an MFA route, the public route would be used if the user was not authorized, effectively meaning that the user would always be able to access the host/network.
Example Vulnerable Configuration
In the following configuration, a user would have always had access to the 10.0.0.0/24 network, regardless of MFA status. This is not intended.
"Acls": {
"Policies": {
"*": {
"Mfa": [
"10.0.0.0/24"
],
"Allow": [
"0.0.0.0/0"
]
}
}
}