CVE-2022-25667
-
Man-in-the-Middle Attacks without Rogue AP:
When WPAs Meet ICMP Redirects. Any tips how to avoid this on pfSense with wireless AP point on. -
@antibiotic said in CVE-2022-25667:
Any tips how to avoid this on pfSense with wireless AP point on.
Get a dedicated Wireless AP. The built-in WiFi in FreeBSD has almost no support upstream and is thus severely handcuffed in pfSense.
-
That looks like a firmware vulnerability not an issue that would affect FreeBSD/pfSense directly.
-
@stephenw10 So, if have wireless AP directly on pfsense box, this will not touch me. Is is corerct?
-
@antibiotic We aren't able to tell you one way or the other as this vulnerability appears to be applicable to certain hardware.
For best wireless experiences you are best suited not using the pfSense to host your wireless and leaving that to a dedicated appliance.
-
@rcoleman-netgate Having use pfsense now on old laptop and WiFi working fine with Atheros chip.
-
What Atheros chip? What firmware version is it running?
It's hard to tell from the reports exactly where the issue is. They list chipsets that are wifi cards but also refer to NPUs which seem more like a complete access point device.
-
@stephenw10 class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002b subvendor=0x1a3b subdevice=0x1089
vendor = 'Qualcomm Atheros'
device = 'AR9285 Wireless Network Adapter (PCI-Express)' -
That's not one of the listed chipsets. Probably too old, pre-Qualcom.
Might be vulnerable to something else though. WIFI is inherently vulnerable IMO.
-
@stephenw10 OK , thank you
