Security vulnerabilities?



  • What is the process of reporting security vulnerabilies? Or get confirmed that they is fixed in release?

    Are going to put in pfsense in a PCI DSS environment and made a nessus scan. Got this results:

    4/1/2014 Nessus / Scans / Hosts / Vulnerabilities

    HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
    HIGH lighttpd < 1.4.35 Multiple Vulnerabilities
    MEDIUM NTP monlist Command Enabled
    MEDIUM SSL Certificate Cannot Be Trusted
    MEDIUM SSL Certificate with Wrong Hostname
    MEDIUM SSL SelfSigned Certificate
    MEDIUM Web Server Allows Password AutoCompletion
    LOW SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
    LOW SSL RC4 Cipher Suites Supported
    INFO Service Detection
    INFO Nessus SYN scanner
    INFO CGI Generic Injectable Parameter



  • The only ones that are actually an issue are the LIGHTTPD ones; everything else you can fix with having an actual SSL cert or manual server configurations.  Not sure of the procedure to patch the web server vulns without breaking anything… caveat being I'm also pretty new to Pfsense in general.


  • Rebel Alliance Developer Netgate

    2.1.1 is coming soon (days at most) and contains a newer lighttpd



  • I am very impressed of your fast response to this. If we take it in production I will buy support from you guys.

    SSL is of course fixed by using certs from our own CA. My main concern is 3things;

    1.
    HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
    HIGH lighttpd < 1.4.35 Multiple Vulnerabilities

    MEDIUM Web Server Allows Password AutoCompletion (PCI-DSS variant)

    Description
    The remote web server contains at least HTML form field containing an input of type 'password' where 'autocomplete' is not set to 'off'.

    While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.

    Solution
    Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

    Output
    Page : /
    Destination Page: /index.php

    Page : /index.php
    Destination Page: /index.php
    Port Hosts
    443 / tcp / www
    10.1

    3. MEDIUMNTP monlist Command Enabled

    Description

    The version of ntpd on the remote host has the 'monlist' command enabled. This command returns a list of recent hosts that have connected to the service. As such, it can be used for network reconnaissance or, along with a spoofed source IP, a distributed denial of service attack.
    Solution

    If using NTP from the Network Time Protocol Project, either upgrade to NTP 4.2.7-p26 or later, or add 'disable monitor' to the 'ntp.conf' configuration file and restart the service. Otherwise, contact the vendor.

    Otherwise, limit access to the affected service to trusted hosts.
    See Also

    https://isc.sans.edu/diary/NTP+reflection+attack/17300
    http://bugs.ntp.org/show_bug.cgi?id=1532
    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613
    Output

    If you can fix number 2 also it will be a fully PCI compliant device! More than your fellows Barracuda Networks can do ;) Number 3 counld be fixed by just disable the ntp service, but if you want… :)


  • Rebel Alliance Developer Netgate

    @merald:

    1.
    HIGH lighttpd < 1.4.34 Multiple Vulnerabilities
    HIGH lighttpd < 1.4.35 Multiple Vulnerabilities

    Fixed in 2.1.1

    @merald:

    MEDIUM Web Server Allows Password AutoCompletion (PCI-DSS variant)

    Fixed by going to System > Advanced and checking "Disable webConfigurator login autocomplete"

    @merald:

    3. MEDIUMNTP monlist Command Enabled

    Fixed on 2.1.1



  • Awesome! As fast as 2.1.1 is released it going in to production in a PCI DSS environment. Not many appliances you can remove initial user as "admin", do comply with requirement "No vendor accounts" and just use AD-accounts instead. Great work you all! Any last tips about running it on virtual server as VMware?



  • Hi all

    New scan of 2.1.1

    Unfortunately some new one came up:

    Not sure how to handle this, false positive?

    CGI Generic Cross-Site Request Forgery Detection (potential)
    Description

    The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The web application might be vulnerable to CSRF attacks.

    Note that :

    • Nessus did not exploit the flaw,
    • Nessus cannot identify sensitive actions – for example, on an online bank, consulting an account is less sensitive than transferring money.

    You will have to audit the source of the CGI scripts and check if they are actually affected.
    Solution

    Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.
    See Also

    http://en.wikipedia.org/wiki/Cross-site_request_forgery
    Output
    The following CGIs are not protected by a random token :
    /index.php

    And then for the squid package that did not got any vulnerabilites before:

    Squid 2.x / 3.x < 3.1.22 / 3.2.4 / 3.3.0.2 cachemgr.cgi DoS
    Description

    According to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.22 / 3.2.4 / 3.3.0.2. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host. Note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
    Solution

    Either upgrade to Squid version 3.1.22 / 3.2.4 / 3.3.0.2 or later, or apply the vendor-supplied patch.

    Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
    See Also

    http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
    Output
    Version source    : Server: squid/2.7.STABLE9
      Installed version : 2.7.STABLE9
      Fixed version    : 3.1.22 / 3.2.4 / 3.3.0.2

    Squid 2.x / 3.x < 3.1.23 / 3.2.6 / 3.3.0.3 cachemgr.cgi DoS
    Description

    According to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.23 / 3.2.6 / 3.3.0.3. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host.

    Note this fix is a result of an incomplete fix for CVE-2012-5643.
    Further note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
    Solution

    Either upgrade to Squid version 3.1.23 / 3.2.6 / 3.3.0.3 or later, or apply the vendor-supplied patch.

    Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
    See Also

    http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
    Output
    Version source    : Server: squid/2.7.STABLE9
      Installed version : 2.7.STABLE9
      Fixed version    : 3.1.23 / 3.2.6 / 3.3.0.3

    Squid 2.x / 3.x < 3.1.22 / 3.2.4 / 3.3.0.2 cachemgr.cgi DoS
    Description

    According to its banner, the version of Squid running on the remote host is 2.x or 3.x prior to 3.1.22 / 3.2.4 / 3.3.0.2. The included 'cachemgr.cgi' tool reportedly lacks input validation, which could be abused by any client able to access that tool to perform a denial of service attack on the service host. Note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.
    Solution

    Either upgrade to Squid version 3.1.22 / 3.2.4 / 3.3.0.2 or later, or apply the vendor-supplied patch.

    Alternatively, restrict access to this CGI or limit CGI memory consumption via the host web server's configuration options.
    See Also

    http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
    Output
    Version source    : Server: squid/2.7.STABLE9
      Installed version : 2.7.STABLE9
      Fixed version    : 3.1.22 / 3.2.4 / 3.3.0.2

    What you experts say?



  • bump  :o



  • Bump again. I offer my Help to do Security scans of new releases, anyone intrested?