Archive for January, 2013

Security flaws in Universal Plug and Play

Wednesday, January 30th, 2013

Rapid7 released a paper today covering new security flaws in UPnP. These findings have lead to the US Department of Homeland Security recommending everyone disable UPnP.

These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.

It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.

If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.

This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.

OpenVPN client now available on Apple iOS!

Friday, January 18th, 2013

Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.

Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.

Our thanks to OpenVPN Technologies and Apple for making this happen!