How long before PFsense patch for vulnerability?
-
Ok, I'm totally jumping the gun here but whatever. At Blackhat this year, there is a talk regarding using DNS to exploit a lot of different routers. Whether this be a FREEBSD problem or an issue with the PFsense program itself, is there any current knowledge of this issue and any fixes or configurations that can be made? (I.E. using Snort to block DNS attacks or something)
https://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html
How to Hack Millions of Routers
"Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense." -
As soon as we actually find out what a vulnerability might be, and a fix confirmed, one can be put out.
We're trying to find out more info about that, nobody notified anyone here that I could find, so it's a bit irresponsible on their part to put out a statement like that.
-
The actual tex from the page:
How to Hack Millions of Routers
This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.
A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).
Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.
This sound to me like a simple tool which does nothing more than scan IP's and do a dictionary attack on the login credentials if someone is so stupid to open up the webinterface to the web with the default settings…
Basically a "nothing to worry about, this is just a fearmonger trying to get some attention" -
We got a response back from the presenter, and it's really a browser/user issue and not a router issue. He was just listing a bunch of GUI-based routers, it seems:
While my talk is focused on attacking routers, there is no exploit in
any router per-se, and it is not necessarily restricted to attacking
routers. The exploit is DNS rebinding, which circumvents the
same-origin policy in a client's Web browser by exploiting the trust
inherently placed in the DNS protocol. Also note that the talk summary
clearly states that this only provides access to the router's
administrative interface; an attacker would still need to exploit the
router or log in to it via default/weak credentials in order to do
anything. Given that PFSense is relatively secure, and PFSense users
are generally more advanced and security aware than the average user,
I would suspect that this attack would only realistically affect a few
PFSense users. -
Thank you very much!
If that's the case… I figure I'm probably in the clear (though my users... hmm....)
-
Unless your users have the username and password for your router, you don't need to worry.
Also, there is an open ticket and some code already checked into 2.0 to help prevent this in the future.
-
We now have code in the 2.0 repo to protect against these attacks in the future, too.
Even if the risk isn't that large, it's still a risk.
-
The particular attack that presentation is covering, amongst others, isn't specific to any product and isn't a vulnerability in the listed products. You need to take care with any device. Use strong passwords, don't use the same browser for management and general web surfing. Other recommendations from a while back that are still applicable here:
http://blog.pfsense.org/?p=232
