Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OMG…

    OpenVPN
    4
    5
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      https://forums.openvpn.net/topic17625.html

      wuuuuaaaaahhhh… is this every going to stop with this bugdoor?

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        -> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

        Quote: "However, only server availability is affected. Confidentiality and authenticity of traffic are not affected."

        As one doesn't allow non-trustworthy people access to VPN onto a firewall(ed system)… Doesn't look that OMG-the-internet-will-die critical to me. Yeah DOS is possible. But to already authenticated clients only. Perhaps I'm more pragmatic but I don't see the hype on this one.

        ;) Greets

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • S
          snm777
          last edited by

          Treated in isolation, it is not such a huge deal, but the people that abuse these flaws aren't stupid.  They write software that takes advantage of MANY flaws, and the more unpatched flaws that are out there, the easier the job becomes.

          A DoS attack doesn't sound bad - but what it usually is is noticeable - noisy, if you will.  If I'm a bad guy trying to go unnoticed, I might want to initiate a DoS attack to keep the incident response people busy with the thing that is affecting their users, and quietly go after my real target while the DoS ties up the resources of those responsible for responding.

          So no, it's not that the world is ending, but this alert, and others like it, should not be dismissed just because, taken in isolation, they are "no big deal."

          My first response to this was to check my vulnerability exposure by checking version information, see if an update was available for pfsense, then head to the forum to see if a moderator had started a response (at this time, sadly, no).  This is the only thread I've found so far, so I'm responding to what is in it, and I'm looking to see if anyone provides a timeline for the fix to be ported to the pfsense implementation, and help if I can (not likely, but you never know).  I in turn expect to be asked about when this will be fixed by both internal and external customers, probably within the hour.  Since no mitigation timeline is apparent yet, I will have to confirm that this vulnerability exists, and come up with potential mitigation steps that can be taken,if there are any, and publish those to my customers.

          All this kinda sucks and is frustrating, but is neither "OMG!" nor "Meh," it's just responding to the environment we all find ourselves in.

          Wow, re-read all that before posting.  /me gets down off soapbox.

          1 Reply Last reply Reply Quote 0
          • B
            BeerCan
            last edited by

            the admin gonzoponcho stated they were aware of the situation yesterday early morning.
            https://forum.pfsense.org/index.php?topic=84785.0

            1 Reply Last reply Reply Quote 0
            • S
              snm777
              last edited by

              Thanks very much! Not sure why my search didn't turn that one up, I'll follow that thread.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.