Re: [pfSense] Recent FreeBSD Security Vulnerabilities

Mon, 20 Jan 2014 12:27:52 -0800 

On Mon, Jan 20, 2014 at 2:33 PM, Adam Piasecki
<apiase...@midatlanticbb.com>wrote:

>  Is pfSense is affected by the recent FreeBSD security alerts?
>
>   2014-01-14 
> FreeBSD-SA-14:04.bind<http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
>

pfSense does not use BIND by default, so this one is not an issue for most
people. That said, *there is a BIND package* in the package manager, you
will have to fix it if you are using that package.

 2014-01-14 
FreeBSD-SA-14:03.openssl<http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc>
>

pfSense 2.1 release is running OpenSSL 0.9.8y (at least on my machine),
which is not reported <http://www.openssl.org/news/vulnerabilities.html> to
be vulnerable.

  2014-01-14 
FreeBSD-SA-14:02.ntpd<http://security.FreeBSD.org/advisories/FreeBSD-SA-14:02.ntpd.asc>
>

It looks like pfSense is affected by this one.

The simplest thing to do in the interim is probably to restrict access to
NTP (by setting which interfaces it listens on and/or with firewall rules)
to trusted machines only.

Alternatively, the configuration workaround posted in the advisory looks
like it should be easy enough to set up.  You cannot edit the ntpd config
file directly because pfSense will overwrite it, but you can edit
/etc/inc/system.inc (around line 1290) to add the workaround to the
function that builds the config file.

  2014-01-14 
FreeBSD-SA-14:01.bsnmpd<http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc>
>

I would guess that pfSense is vulnerable to this one.  However, it is only
an issue if you are actually using SNMP.  If you aren't, just make sure
that it is disabled under "Services" -> "SNMP" and you'll be fine.

Although the advisory does not mention this workaround, if you do use SNMP,
you can probably get away with only allowing SNMP traffic from trusted
hosts. (In truth, you should be doing that anyway.)


> http://www.freebsd.org/security/advisories.html
>
> Thanks,
> Adam
>

HTH,

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to