Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How long before PFsense patch for vulnerability?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 14.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jerrygoldsmith
      last edited by

      Ok, I'm totally jumping the gun here but whatever.    At Blackhat this year, there is a talk regarding using DNS to exploit a lot of different routers.    Whether this be a FREEBSD problem or an issue with the PFsense program itself, is there any current knowledge of this issue and any fixes or configurations that can be made?  (I.E. using Snort to block DNS attacks or something)

      https://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html
      How to Hack Millions of Routers
      "Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense."

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        As soon as we actually find out what a vulnerability might be, and a fix confirmed, one can be put out.

        We're trying to find out more info about that, nobody notified anyone here that I could find, so it's a bit irresponsible on their part to put out a statement like that.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          The actual tex from the page:

          How to Hack Millions of Routers

          This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

          A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

          Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.

          This sound to me like a simple tool which does nothing more than scan IP's and do a dictionary attack on the login credentials if someone is so stupid to open up the webinterface to the web with the default settings…
          Basically a "nothing to worry about, this is just a fearmonger trying to get some attention"

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            We got a response back from the presenter, and it's really a browser/user issue and not a router issue. He was just listing a bunch of GUI-based routers, it seems:

            @Craig:

            While my talk is focused on attacking routers, there is no exploit in
            any router per-se, and it is not necessarily restricted to attacking
            routers. The exploit is DNS rebinding, which circumvents the
            same-origin policy in a client's Web browser by exploiting the trust
            inherently placed in the DNS protocol. Also note that the talk summary
            clearly states that this only provides access to the router's
            administrative interface; an attacker would still need to exploit the
            router or log in to it via default/weak credentials in order to do
            anything. Given that PFSense is relatively secure, and PFSense users
            are generally more advanced and security aware than the average user,
            I would suspect that this attack would only realistically affect a few
            PFSense users.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jerrygoldsmith
              last edited by

              Thank you very much!

              If that's the case… I figure I'm probably in the clear (though my users... hmm....)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Unless your users have the username and password for your router, you don't need to worry.

                Also, there is an open ticket and some code already checked into 2.0 to help prevent this in the future.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  We now have code in the 2.0 repo to protect against these attacks in the future, too.

                  Even if the risk isn't that large, it's still a risk.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    The particular attack that presentation is covering, amongst others, isn't specific to any product and isn't a vulnerability in the listed products. You need to take care with any device. Use strong passwords, don't use the same browser for management and general web surfing. Other recommendations from a while back that are still applicable here:
                    http://blog.pfsense.org/?p=232

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.