Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do the OpenSSH 7.9 CVEs apply to pfSense?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 750 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS Offline
      senseivita
      last edited by

      I was playing around on Shodan.io and I could resist entering my gateway's IP address on the search box; it only detects the ports for the HTTP & SSH services so pretty good considering that firewall doesn't block anything at all, it NATs full cone via tunnel all traffic to the local firewall (and completely unencrypted)

      Anyway, it found these CVE warnings:
      Screen Shot 2022-01-19 at 03.31.25.png

      Honestly I'd be more worried about my IP address getting blacklisted – as it turns out it already is, at the ASN level – than if the gateway gets compromised but I am curious so I had to come find out if pfSense is affected by it. It does say it's pretty much a wild guess just on the version alone. :) Should I start clutching my pearls and looking around bewildered? :O

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @senseivita
        last edited by

        @skilledinept said in Do the OpenSSH 7.9 CVEs apply to pfSense?:

        it NATs full cone via tunnel all traffic to the local firewall

        So where you actually talking to pfsense ssh there, or were you talking to the firewall behind pfsense ssh?

        But all of those issues look more like client issues, and possible man in the middle attacks on your client.. Are you using ssh pfsense as client to talk to something that could be a mitm to where your wanting to talk to?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        senseivitaS 1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          2.5.2 uses 7.9p1 anyway:

          [2.5.2-RELEASE][admin@pfsense.fire.box]/root: ssh -V
          OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021
          

          2.6 uses the updated OpenSSL version:

          [2.6.0-RC][admin@4220.stevew.lan]/root: ssh -V
          OpenSSH_7.9p1, OpenSSL 1.1.1l-freebsd  24 Aug 2021
          
          johnpozJ 1 Reply Last reply Reply Quote 1
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @stephenw10
            last edited by johnpoz

            @stephenw10 while yes its 7.9p1 - still in the 7.9 base, and if you connect via ssh to the server - your only going to see the 7.9 banner

            debug1: Local version string SSH-2.0-OpenSSH_8.8
            debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
            

            That is what I show when connect from my pc to 21.05.2

            But yes its 7.9p1

            [21.05.2-RELEASE][admin@sg4860.local.lan]/var/db: ssh -V
            OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021
            

            Kind of would of hoped that new pfsense would of updated to the 8.8 version ;) But don't think its actually in the freebsd base yet.

            From a quick looky see on that first CVE, looks like 7.9p1 is not vun anyway.. So its a misrepresentation of issue, which never ever happens with scanning software ;) hehehe

            From here
            https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234965

            This should of been taken care of in freebsd 12, and pfsense is currently on 12.2..

            And again - all those seem to be related to scp, if your client version is that, etc. so if you were being mitm using that version as client, you could have some issues..

            edit: side note.. I wouldn't have ssh open to the public in the first place, not unless you could lock down the source IPs. And don't think I have ever used pfsense ssh in client mode.. The only thing that can ssh to my pfsense, is my pc on my admin lan ;) So when used correctly I don't think really any of the typical cve that come out for ssh are of real concern, if ssh is used sanely ;) Not saying ssh shouldn't be kept up to date, or securely configured as best as possible. Just saying more than likely any cve shouldn't/couldn't really apply in the first place.

            edit2: just because guess I am in a rambling mood. If you want really bad support for ssh, look to stuff like switches and or iot devices where the version is quite often ancient, and doesn't even support modern ciphers or algorithms and no way to update them.. Ran into a issue with my unifi APs the other day.. they use dropbear, but its OLD 2017 version, and I lost access to even ssh to them because securecrt finally deprecated use of old host keys. So I had to modify the session options to still allow for the old host keys ssh-rsa

            edit3: look at this old shit my switch does, and there is no way to fix it..

            Unable to negotiate with 192.168.9.99 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
            

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • senseivitaS Offline
              senseivita @johnpoz
              last edited by

              So where you actually talking to pfsense ssh there, or were you talking to the firewall behind pfsense ssh?

              Both the gateway (named cloudfront) and firewall are pfSense, same version too. SSH and the tunnel server are the only two ports/protos not forwarded, even the web UI for cloudfront is forwarded to the local firewall where it goes through all of filters, (rules, NAT, geographic, reputation, signatures) passed to HAProxy on another system then back out the gateway.

              @stephenw10 I connected to the local instance in verbose and I saw it read p1 too. It was out of curiosity though, not concern--to see how readily is info like this available to scanner.

              SSH was/is open in case of lockouts so I don't have to deal with the OpenStack console but now that I think about it since it (cloudfront) is (1) already passing everything there's little chance of breaking things that I don't need to adjust and (2) DNS exits through the tunnel only meaning nothing works if it's broken for any reason which wouldn't be a quick fix so I'm following @johnpoz example and closing it down--or maybe forward it to HAProxy and do that TLS+SNI+SSH thing.

              BTW, if you think your switch is old... I have a Cisco 7975 phone to which no system released in at least the last 5 years connects without warnings+options and even further unsupported is this Polycom CX700, it doesn't open SSH but it does need to find a CA via DNS/LDAP (and thus the AD domain via DHCP) where the best possible pkey can be a 2048bit RSA key and watchout for the resulting chain so it's not too long in an already very-prone-to-error Microsoft PKI.

              This was fun. :) Thank you to both for answering.

              Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @senseivita
                last edited by johnpoz

                @skilledinept said in Do the OpenSSH 7.9 CVEs apply to pfSense?:

                -to see how readily is info like this available to scanner.

                you could turn off the banner, Not sure if pfsense allows for that in the gui? But if your allowed to talk to the ssh and try and negotiate a connection to "auth" you would still be able to get info like what algos and ciphers are possible.

                You could edit the sshd conf directly, but that would just get reverted on update, etc.

                Security scanners can be very useful - and fun even. But a lot of what they report really needs to be taken with a grain of salt, if not a whole freaking tablespoon of it ;)

                But it did do its job - it got you curious, and looking into, and now you prob make for a more secure setup even if what it had reported wasn't really valid ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.