pfSense Gold Subscription

Author Topic: How long before PFsense patch for vulnerability?  (Read 8950 times)

0 Members and 1 Guest are viewing this topic.

Offline jerrygoldsmith

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
How long before PFsense patch for vulnerability?
« on: June 30, 2010, 11:16:16 am »
Ok, I'm totally jumping the gun here but whatever.    At Blackhat this year, there is a talk regarding using DNS to exploit a lot of different routers.    Whether this be a FREEBSD problem or an issue with the PFsense program itself, is there any current knowledge of this issue and any fixes or configurations that can be made?  (I.E. using Snort to block DNS attacks or something)

https://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html
How to Hack Millions of Routers

"Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense."

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14994
  • Karma: +4/-0
    • View Profile
Re: How long before PFsense patch for vulnerability?
« Reply #1 on: July 01, 2010, 12:34:09 pm »
As soon as we actually find out what a vulnerability might be, and a fix confirmed, one can be put out.

We're trying to find out more info about that, nobody notified anyone here that I could find, so it's a bit irresponsible on their part to put out a statement like that.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5066
  • Karma: +4/-0
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: How long before PFsense patch for vulnerability?
« Reply #2 on: July 01, 2010, 02:20:11 pm »
The actual tex from the page:
Quote
How to Hack Millions of Routers

This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.

This sound to me like a simple tool which does nothing more than scan IP's and do a dictionary attack on the login credentials if someone is so stupid to open up the webinterface to the web with the default settings...
Basically a "nothing to worry about, this is just a fearmonger trying to get some attention"
« Last Edit: July 01, 2010, 02:22:51 pm by GruensFroeschli »
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14994
  • Karma: +4/-0
    • View Profile
Re: How long before PFsense patch for vulnerability?
« Reply #3 on: July 01, 2010, 02:25:40 pm »
We got a response back from the presenter, and it's really a browser/user issue and not a router issue. He was just listing a bunch of GUI-based routers, it seems:

Quote from: Craig Heffner
While my talk is focused on attacking routers, there is no exploit in
any router per-se, and it is not necessarily restricted to attacking
routers. The exploit is DNS rebinding, which circumvents the
same-origin policy in a client's Web browser by exploiting the trust
inherently placed in the DNS protocol. Also note that the talk summary
clearly states that this only provides access to the router's
administrative interface; an attacker would still need to exploit the
router or log in to it via default/weak credentials in order to do
anything. Given that PFSense is relatively secure, and PFSense users
are generally more advanced and security aware than the average user,
I would suspect that this attack would only realistically affect a few
PFSense users.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jerrygoldsmith

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: How long before PFsense patch for vulnerability?
« Reply #4 on: July 04, 2010, 05:06:29 pm »
Thank you very much!

If that's the case... I figure I'm probably in the clear (though my users... hmm....)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14994
  • Karma: +4/-0
    • View Profile
Re: How long before PFsense patch for vulnerability?
« Reply #5 on: July 05, 2010, 06:55:06 am »
Unless your users have the username and password for your router, you don't need to worry.

Also, there is an open ticket and some code already checked into 2.0 to help prevent this in the future.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14994
  • Karma: +4/-0
    • View Profile
Re: How long before PFsense patch for vulnerability?
« Reply #6 on: July 06, 2010, 03:36:13 pm »
We now have code in the 2.0 repo to protect against these attacks in the future, too.

Even if the risk isn't that large, it's still a risk.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: How long before PFsense patch for vulnerability?
« Reply #7 on: July 12, 2010, 11:12:42 am »
The particular attack that presentation is covering, amongst others, isn't specific to any product and isn't a vulnerability in the listed products. You need to take care with any device. Use strong passwords, don't use the same browser for management and general web surfing. Other recommendations from a while back that are still applicable here:
http://blog.pfsense.org/?p=232