Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850

Luca De Andreis

Hi all,

... yesterday OpenVPN 2.6.7 was released in the security branch of OpenBSD.

Any way to apply in PfSense Plus ?

mc.gyver.reboot

Hi,

I am also aware of two vulnerabilities in openvpn 2.6.0 to 2.6.6.
https://nvd.nist.gov/vuln/detail/CVE-2023-46850
https://nvd.nist.gov/vuln/detail/CVE-2023-46849

If the information that I retrieve on my firewalls is good, versions 2.6.0 of pfsense are not impacted because they embed openvpn 2.5.4, but versions 2.7.0 of pfsense may be impacted because they embed version 2.6.4 from openvpn.
This is a deduction that I made because I don't see too much news on the pfsense side. I don't see any updates available from the webgui of my pfsense 2.7.0.

Can you confirm for me or not whether psense 2.6.0 and 2.7.0 are affected by these vulnerabilities?

Here is the source I originally got:
https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/

Thanks

michmoor

@mc-gyver-reboot

https://redmine.pfsense.org/issues/14985#change-70888

Luca De Andreis

@michmoor

OK, well for CE release that is coming soon, but for plus that just came out 23.09 will need to wait for 24.03 (as specified in the page mentioned link) ?

jimp

@Luca-De-Andreis said in Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850:

@michmoor

OK, well for CE release that is coming soon, but for plus that just came out 23.09 will need to wait for 24.03 (as specified in the page mentioned link) ?

We may pick back the change so users on 23.09 can upgrade it manually in the shell if they want to do so. We're still weighing our options there.

mc.gyver.reboot

@michmoor

Thanks you very much for the reply !
So I will wait for version 2.7.1 of pfsense CE.

I would like to come back to one point, namely whether version 2.6.x of pfsense CE is affected by these vulnerabilities.
Would you have the information?

THANKS

jimp

@Luca-De-Andreis said in Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850:

@michmoor

OK, well for CE release that is coming soon, but for plus that just came out 23.09 will need to wait for 24.03 (as specified in the page mentioned link) ?

We pulled the updated version back into 23.09. You can update it manually from the shell (e.g. pkg-static upgrade openvpn) but there also happens to be an update for the OpenVPN client export package. If you update that in the GUI, it also pulls in the OpenVPN upgrade:

Installed packages to be UPGRADED:
	openvpn: 2.6.5 -> 2.6.7_1 [pfSense]
	openvpn-client-export: 2.6.5 -> 2.6.7 [pfSense]
	pfSense-pkg-openvpn-client-export: 1.9_1 -> 1.9.2 [pfSense]

You'll want to restart the daemons manually after that (or reboot) to ensure they are running the updated version.

@mc-gyver-reboot said in Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850:

@michmoor
So I will wait for version 2.7.1 of pfsense CE.

That is out now, it was released yesterday evening.

I would like to come back to one point, namely whether version 2.6.x of pfsense CE is affected by these vulnerabilities.

Most likely, it is running an older version of OpenVPN. That version is no longer maintained, anyone on CE should upgrade to 2.7.1.

mcury

@jimp Hello Jimp, thanks for that, really appreciate how fast you guys worked to solve that issue.

But, do you know if that package is already available, for me it seems that isn't.

[23.09-RELEASE][root@pfsense.home.arpa]/root: pkg-static upgrade openvpn
Updating pfSense-core repository catalogue...
Fetching meta.conf:   0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf:   0%
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.

jimp

Did you already update the export package in the GUI?

What happens if you run pkg-static info -x openvpn?

EDIT: Nevermind it looks like some users may not be seeing the updates yet, should be resolved shortly.

mcury

@jimp said in Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850:

EDIT: Nevermind it looks like some users may not be seeing the updates yet, should be resolved shortly.

Oh, that's ok then, I'll be trying again later, thanks a lot

jimp

Should be available for everyone now, give it another try

mcury

@jimp said in Security alert on OpenVPN 2.6.5 (PfSense+ 23.09) CVE-2023-46850:

Should be available for everyone now, give it another try

Upgraded successfully.

Installed packages to be UPGRADED:
	pkg: 1.20.8_1 -> 1.20.8_2 [pfSense]

Installed packages to be UPGRADED:
	openvpn: 2.6.5 -> 2.6.7_1 [pfSense]

mc.gyver.reboot

@jimp
Hi,

thanks for the answers !

Regarding the fact that the pfsense 2.6.0 CE version is impacted, for my part I was able to confirm that last week that on one of my firewalls in 2.6.0 not up to date I had available the 2.5.4 package of openvpn while today I have version 2.6.4.
What is strange is that as https://cve.mitre.org/ indicates, only versions 2.6.0 to 2.6.6 are impacted...

To conclude, you must upgrade to pfsense CE version 2.7.1