OMG…



  • https://forums.openvpn.net/topic17625.html

    wuuuuaaaaahhhh… is this every going to stop with this bugdoor?


  • Moderator

    -> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

    Quote: "However, only server availability is affected. Confidentiality and authenticity of traffic are not affected."

    As one doesn't allow non-trustworthy people access to VPN onto a firewall(ed system)… Doesn't look that OMG-the-internet-will-die critical to me. Yeah DOS is possible. But to already authenticated clients only. Perhaps I'm more pragmatic but I don't see the hype on this one.

    ;) Greets



  • Treated in isolation, it is not such a huge deal, but the people that abuse these flaws aren't stupid.  They write software that takes advantage of MANY flaws, and the more unpatched flaws that are out there, the easier the job becomes.

    A DoS attack doesn't sound bad - but what it usually is is noticeable - noisy, if you will.  If I'm a bad guy trying to go unnoticed, I might want to initiate a DoS attack to keep the incident response people busy with the thing that is affecting their users, and quietly go after my real target while the DoS ties up the resources of those responsible for responding.

    So no, it's not that the world is ending, but this alert, and others like it, should not be dismissed just because, taken in isolation, they are "no big deal."

    My first response to this was to check my vulnerability exposure by checking version information, see if an update was available for pfsense, then head to the forum to see if a moderator had started a response (at this time, sadly, no).  This is the only thread I've found so far, so I'm responding to what is in it, and I'm looking to see if anyone provides a timeline for the fix to be ported to the pfsense implementation, and help if I can (not likely, but you never know).  I in turn expect to be asked about when this will be fixed by both internal and external customers, probably within the hour.  Since no mitigation timeline is apparent yet, I will have to confirm that this vulnerability exists, and come up with potential mitigation steps that can be taken,if there are any, and publish those to my customers.

    All this kinda sucks and is frustrating, but is neither "OMG!" nor "Meh," it's just responding to the environment we all find ourselves in.

    Wow, re-read all that before posting.  /me gets down off soapbox.



  • the admin gonzoponcho stated they were aware of the situation yesterday early morning.
    https://forum.pfsense.org/index.php?topic=84785.0



  • Thanks very much! Not sure why my search didn't turn that one up, I'll follow that thread.