Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion vulnerability?

    General pfSense Questions
    3
    7
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DarrenCox
      last edited by

      Hi,

      First post, so please forgive and correct me if I'm in the wrong place etc.

      We have had a risk assessment performed by a security company who said that the pfsense firewalls we use are vulnerable for "Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion". The text of the assessment also says "The remote host seems vulnerable to a bug wherein a remote attacker can circumvent the firewall by setting the ECE bit within the TCP flags field. At least one firewall (ipfw) is known to exhibit this sort of behaviour. Known vulnerable systems include all FreeBSD 3.x ,4.x, 3.5-STABLE, and 4.2-STABLE."

      Isn't pfsense using a much later version than 4.2-STABLE? Can this possible vulnerability be ignored?

      Version we use is 2.4.4-RELEASE-p3 (FreeBSD 11.2-RELEASE-p10) as a virtual machine.

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @DarrenCox
        last edited by

        @darrencox Before anyone can discuss security risk with you, you must upgrade to the current version of pfSense, hands down.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • D
          DarrenCox
          last edited by

          OK, I'll update and ask for the scan to be run again, I reckon it will come back with the same issue though...

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Also note that pfSense includes ipfw (in 2.6) but does not use it for anything but the captive portal, imiters and HAProxy forwarding. pfSense uses pf for actually filtering most traffic.

            Steve

            1 Reply Last reply Reply Quote 0
            • D
              DarrenCox
              last edited by

              @NollipfSense, I note that I need to upgrade, but considering @stephenw10's comment about the ipfw service, would it be possible to disable the ipfw service, as I do not use those features, and then the scan would not come up with the issue?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                It's not a service that can be disabled like that. The scan is almost certainly just seeing the FreeBSD version and pulling in any known vulns from that. I assume you had to allow them some access to the firewall?

                1 Reply Last reply Reply Quote 0
                • D
                  DarrenCox
                  last edited by

                  Hi @stephenw10 , yes, they had external access only and were scanning the IPs. As you say its likely their scanner came back with "FreeBSD firewall" but no specifics. If I can get more details of what the scan actually found I'll post it, but I'll continue to work on the upgrade and ask for a re-scan when complete.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.