pfSense servers exposed to RCE attacks via bug chain.
-
Just read this on the net. Can someone elaborate on this??
JMV
-
@JMV43-0 Read what on the net - what did you read? Link?
-
@JMV43-0 I found:
https://www.bleepingcomputer.com/news/security/over-1-450-pfsense-servers-exposed-to-rce-attacks-via-bug-chain/...which reads like it was written by someone who doesn't know that pfSense isn't "a server."
"Netgate, the vendor of pfSense, received reports about the three flaws on July 3, 2023, and released security updates that addressed them on November 6 (pfSense Plus 23.09) and November 16 (pfSense CE 2.7.1)."
So basically they are saying OH NO 1450 firewalls haven't upgraded yet. Well there's far more than that. Guessing 1450 have their GUI exposed on WAN though? The last paragraph references Shodan.
-
@SteveITS here is my take on that..
Netgate, the vendor of pfSense, received reports about the three flaws on July 3, 2023, and released security updates that addressed them on November 6 (pfSense Plus 23.09) and November 16 (pfSense CE 2.7.1).
However, a month after patches have been made available by Netgate, nearly 1,500 pfSense instances remain vulnerable to attacks.
Not even taking into account if the exploits are even workable without exposing your gui or ssh or some other services to the wan.. Which is out of the box nothing is allowed to the wan..
And lets say your concerned locally even.. Clearly pfsense addressed the issue with release of 23.09 and 2.7.1 - if users do not update, how is that pfsense issue?
I see posts here all the time where users are running clearly out dated versions from years ago.. If your going to update anything - I would say keeping your firewall updated should be top concern.. You want to run old version of windows - ok that is up to you.. And if not exposed to internet, and your network only has your own devices on it, etc. Prob not that big of an issue. But yeah you should keep the device between your network and the wild west of the internet up to date ;)
-
@johnpoz My take is a bit shorter: someone's job is to write an article about every RCE to get clicks. :)
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@SteveITS ahahah - also very true, hehehe
Have seen many of them where to exploit something you have to be root on the box locally.. And they call it a RCE.
-
Mmm. Do not open the webgui to the internet!
-
@JMV43-0 Gee thanks, only asking for some input from the ones that know how this system works. Too much to ask? Always uptight, not all but some!!
JMV
-
@stephenw10 said in pfSense servers exposed to RCE attacks via bug chain.:
Mmm. Do not open the webgui to the internet!
100% this.
I mean, I ascribe to the "open webgui to Trusted IP addresses originating from the Internet" because I have a few remote addresses that I control, know, and trust to have remote admin access, but even then, you shouldn't just blindly open your pfSense to "all internet origin points". Heck, even putting client cert auth in front of the pfSense admin system would help.
More or less, Bleeping Computer is trying to generate headlines to:
(1) get more traffic/crap
(2) attempt to (badly) summarize the actual problem, and
(3) make a notice to people "UPDATE YOUR STUFF!" in big bold red letters.Either way, learn from the Security pros like me - NEVER expose critical control panels, etc. to the Internet directly! It opens you to a PLETHORA of problems, not just regarding known vulns.
-
@teward Yes we are trying to learn, but always get our head bitten off for asking questions. Not all that use this firewall are experts. And have questions as stupid as they may sound.
JMV
-
@JMV43-0 No need to be rude, I'm simply agreeing with stephenw10's post - and they're an admin here. Don't go biting off other people's heads for their statements, that could be considered offensive to others. A lot of us aren't targeting you, we're simply stating that Bleeping Computer is spreading what is more-or-less FUD with certain "good intentions" and "bad intentions" simultaneously. We ain't biting off your heads nor others with valid questions, and in my case I'm not even directed at you I'm simply affirming stephenw's statement with enthusiasm, so I suggest taking a step back and reassessing how you are assessing statements made here.
-
@JMV43-0 said in pfSense servers exposed to RCE attacks via bug chain.:
Yes we are trying to learn, but always get our head bitten off for asking questions.
It think you are misreading the responses. The head biting is directed at the click bait writer, not at you for asking a valid question.
Some of the people here are passionate.
-
@SteveITS said in pfSense servers exposed to RCE attacks via bug chain.:
...which reads like it was written by someone who doesn't know that pfSense isn't "a server."
My take is a bit shorter: someone's job is to write an article
sports illustrated ?
-
@AndyRH said in pfSense servers exposed to RCE attacks via bug chain.:
head biting is directed at the click bait writer, not at you
This..! Apologies @JMV43-0 if it seemed I was being snarky towards you.
IOW, out of 7 million-ish installs, them calling out 1500 "still affected" seems unnecessary. 1) find CVE, 2) check Shodan for a count, 3) write article.
There was a Reddit thread on the same topic today and someone pointed out Netgate had fixed it within I think 2 days, then put them into the System Patches package to backport to older versions too. Usually they're pretty good at getting fixes out.
-
A few extra points here:
- They throw around the term "RCE" which sounds scary because "remote" but this bug requires the user to be authenticated AND have access to the pages in question to exploit it, so just because some poor soul left their GUI open to the world doesn't mean they can be exploited directly unless they also happen to use weak credentials or give up access in some other way (e.g. XSS). "Authenticated command execution" doesn't get as many clicks/shares.
- The Shodan stuff is irrelevant, but that doesn't stop people from quoting those Shodan numbers claiming those are vulnerable, though. Those people definitely should lock down their GUIs but not just out of concern for this. If some attacker could authenticate to their GUI remotely they'd have a lot more to worry about than this command execution issue.
- Not only were these patched in the repository code within days of being reported, the fixes were available via System Patches package when we released the first versions with the fix: Plus 23.09. Users who remained on Plus 23.05.1 or CE 2.7.0 could (after setting their update branches appropriately to stay on those versions), install or update their system patches package to obtain the corrections. This was noted in the security advisories and in the Plus 23.09 release notes.
3a. Those fixes were available for Plus and CE at the same time. Yes, a full release including the fix for CE came a few days later but the patches were available for both immediately.
tl;dr: Lots of FUD and clickbait involved here, but a couple legitimate points. Don't open your GUI to the Internet or even to untrusted local hosts, even if it's not all that relevant to this bug. Ideally you shouldn't use the same browser session for GUI admin work that you do for general web browsing. As always, keep things as up-to-date as possible, if you intend to delay upgrading, fix your update URL to stay on your current version and look for updates to the system patches package.
-
Yup there's no animosity toward @JMV43-0 here. After reading that article asking questions about it is completely legitimate IMO.
For clarity see our SA for this here: https://docs.netgate.com/downloads/pfSense-SA-23_10.webgui.asc
The impact of this is completely overblown. For a remote actor to exploit this the webgui must be open to the internet and they have to be logged in as a user that can access those pages and make changes. If they can do that you probably have bigger issues!
