pfSense servers exposed to RCE attacks via bug chain.

SteveITS

@johnpoz My take is a bit shorter: someone's job is to write an article about every RCE to get clicks. :)

johnpoz

@SteveITS ahahah - also very true, hehehe

Have seen many of them where to exploit something you have to be root on the box locally.. And they call it a RCE.

stephenw10

Mmm. Do not open the webgui to the internet!

JMV43 0

@JMV43-0 Gee thanks, only asking for some input from the ones that know how this system works. Too much to ask? Always uptight, not all but some!!

JMV

teward

@stephenw10 said in pfSense servers exposed to RCE attacks via bug chain.:

Mmm. Do not open the webgui to the internet!

100% this.

I mean, I ascribe to the "open webgui to Trusted IP addresses originating from the Internet" because I have a few remote addresses that I control, know, and trust to have remote admin access, but even then, you shouldn't just blindly open your pfSense to "all internet origin points". Heck, even putting client cert auth in front of the pfSense admin system would help.

More or less, Bleeping Computer is trying to generate headlines to:
(1) get more traffic/crap
(2) attempt to (badly) summarize the actual problem, and
(3) make a notice to people "UPDATE YOUR STUFF!" in big bold red letters.

Either way, learn from the Security pros like me - NEVER expose critical control panels, etc. to the Internet directly! It opens you to a PLETHORA of problems, not just regarding known vulns.

JMV43 0

@teward Yes we are trying to learn, but always get our head bitten off for asking questions. Not all that use this firewall are experts. And have questions as stupid as they may sound.

JMV

teward

@JMV43-0 No need to be rude, I'm simply agreeing with stephenw10's post - and they're an admin here. Don't go biting off other people's heads for their statements, that could be considered offensive to others. A lot of us aren't targeting you, we're simply stating that Bleeping Computer is spreading what is more-or-less FUD with certain "good intentions" and "bad intentions" simultaneously. We ain't biting off your heads nor others with valid questions, and in my case I'm not even directed at you I'm simply affirming stephenw's statement with enthusiasm, so I suggest taking a step back and reassessing how you are assessing statements made here.

AndyRH

@JMV43-0 said in pfSense servers exposed to RCE attacks via bug chain.:

Yes we are trying to learn, but always get our head bitten off for asking questions.

It think you are misreading the responses. The head biting is directed at the click bait writer, not at you for asking a valid question.

Some of the people here are passionate.

jrey

@SteveITS said in pfSense servers exposed to RCE attacks via bug chain.:

...which reads like it was written by someone who doesn't know that pfSense isn't "a server."

My take is a bit shorter: someone's job is to write an article

sports illustrated ?

SteveITS

@AndyRH said in pfSense servers exposed to RCE attacks via bug chain.:

head biting is directed at the click bait writer, not at you

This..! Apologies @JMV43-0 if it seemed I was being snarky towards you.

IOW, out of 7 million-ish installs, them calling out 1500 "still affected" seems unnecessary. 1) find CVE, 2) check Shodan for a count, 3) write article.

There was a Reddit thread on the same topic today and someone pointed out Netgate had fixed it within I think 2 days, then put them into the System Patches package to backport to older versions too. Usually they're pretty good at getting fixes out.

jimp

A few extra points here:

1. They throw around the term "RCE" which sounds scary because "remote" but this bug requires the user to be authenticated AND have access to the pages in question to exploit it, so just because some poor soul left their GUI open to the world doesn't mean they can be exploited directly unless they also happen to use weak credentials or give up access in some other way (e.g. XSS). "Authenticated command execution" doesn't get as many clicks/shares.
2. The Shodan stuff is irrelevant, but that doesn't stop people from quoting those Shodan numbers claiming those are vulnerable, though. Those people definitely should lock down their GUIs but not just out of concern for this. If some attacker could authenticate to their GUI remotely they'd have a lot more to worry about than this command execution issue.
3. Not only were these patched in the repository code within days of being reported, the fixes were available via System Patches package when we released the first versions with the fix: Plus 23.09. Users who remained on Plus 23.05.1 or CE 2.7.0 could (after setting their update branches appropriately to stay on those versions), install or update their system patches package to obtain the corrections. This was noted in the security advisories and in the Plus 23.09 release notes.
   3a. Those fixes were available for Plus and CE at the same time. Yes, a full release including the fix for CE came a few days later but the patches were available for both immediately.

tl;dr: Lots of FUD and clickbait involved here, but a couple legitimate points. Don't open your GUI to the Internet or even to untrusted local hosts, even if it's not all that relevant to this bug. Ideally you shouldn't use the same browser session for GUI admin work that you do for general web browsing. As always, keep things as up-to-date as possible, if you intend to delay upgrading, fix your update URL to stay on your current version and look for updates to the system patches package.

stephenw10

Yup there's no animosity toward @JMV43-0 here. After reading that article asking questions about it is completely legitimate IMO.

For clarity see our SA for this here: https://docs.netgate.com/downloads/pfSense-SA-23_10.webgui.asc

The impact of this is completely overblown. For a remote actor to exploit this the webgui must be open to the internet and they have to be logged in as a user that can access those pages and make changes. If they can do that you probably have bigger issues!