Main conrainer

pfSense and the CVE-2014-6271 (“shellshock”) bash exploit.

tl;dr: If you’re having shell problems I feel bad for you son. I got 99 problems but bash ain’t one.

If you’ve not heard, Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.

NIST has assigned a CVSS of 10 CVE-2014-6271.  POCs are starting to appear.

So the question becomes, “is pfSense affected?”

The short answer is: Unlikely, though there are three packages which could lead to an exploit. The base system of pfSense does not include bash.  Since bash isn’t on the system, the problem is reduced to packages.

Three packages are affected, and only one is commonly used.  The affected packages are:

  • Anyterm — This package contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package will simply be retired as it is unmaintained and rarely used.  We will review all packages, and any which contain binaries which we have not built from source will be removed or re-engineered such that we can compile from source.
  • Freeswitch-dev — Runs pkg_add for bash. This package is not actively maintained, and can likely be safely removed from the list of packages with minimal community impact.
  • FreeRADIUS2  — Adds bash via pkg_add using FreeBSD’s 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We’re looking into the best way to fix it.
  • Mailscanner –– Includes bash also, will be fixed shortly.

Given the lack of impact to pfSense software version 2.1.5 or the pfSense 2.2-BETA images, no fix is required, so we don’t plan any release in response to this issue.

UPDATE: Affected packages have been updated or removed. Full details are in the security announcement which was posted this afternoon. -jimp

September 2014 Hangout

The monthly pfSense Hangout is upon us. For September, 2014, the topic will be “Advanced OpenVPN Concepts”. This month’s host will be Jim Pingle. The hangout will happen this Friday, September 26 at 1PM Central US time.

OpenVPN is one of the most frequently used features within pfSense. This month, Jim will dive a little deeper to cover some of the more obscure and complex pieces of this feature.

The pfSense Hangout is an exclusive benefit for our Gold subscribers. Subscribers will find the meeting link after logging in to the members section. If you’re not yet a subscriber, sign up now and you’ll get immediate access. If you can’t make the live event, the video and audio recording and slides are available for members to download within a few hours of the session’s completion.

By subscribing to Gold, you are also helping to keep the project alive! We staff developers, a support team, engineers and other functions on a full time basis so we can keep bringing you a quality product!

Here is a preview of the hangout:

pfSense 2.2 enters BETA!

The 2.2 release has now reached the beta milestone. This means the release is feature complete, a comprehensive list of new features and changes can be found here, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.2 is not yet for you (young padawan).

If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.2 board on the forum. Note that snapshots have the risk of changes being made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.

Known Issues

The most current list of known issues marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.2 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot, it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.

Important upgrade warning

You can upgrade from 2.1.x to 2.2 just as with any other release, BUT, you cannot downgrade from 2.2 to 2.1.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.2. If you do upgrade, get a backup first so you can reinstall if needed. Several of the features in 2.2 were revamped to the extent that a change in configuration formatting was necessitated.

Proceed with caution! Expect things to be broken, this is not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and potentially break their network).

September’s pfSense Fundamentals and Practical Application Course

Last weekend pfSense University had another successful pfSense Fundamentals and Practical Application Course, co-taught by Co-Founder Chris Buechler and Principal Engineer George Phillips. We had attendees from across the globe and from varying industries attend this two day course which includes a hands on lab. Not only is this a great venue to learn the complexities of pfSense, but it’s an opportunity to meet some of the pfSense team as well as share notes with other talented pfSense users. Look forward to more courses in the future.

pfsense02
Chris and George doing some hands on training.

pfsense04
Note the free coffee.

pfsense05
Chris assisting while George teaches.

pfsense03
George assisting while Chris teaches.

2.1.5 RELEASE Now Available

The 2.1.5 release follows shortly after 2.1.4 and is primarily a security release.

Security Fixes

Other Fixes

  • Handle a missing DHCPD config section properly during a configuration upgrade
  • Fix a regression that broke CARP+IP alias VIP functionality
  • Fix the Pass, Block, Reject and Interface filters in the Firewall Logs Widget [#3725]
  • Use HTTPS for dyndns providers that support it
  • Avoid resetting the firewall hostname from a WAN DHCP server [#3746]
  • Add missing qlimit keyword in some shaper rules
  • Change Cancel button to call history.back() when editing firewall aliases to fix issues with IE 11 [#3728]
  • Allow hostnames in bulk import since they are valid entries in a network type alias
  • Fix input validation logic on diag_testport.php, escape more shell arguments for good measure
  • Escape the individual dnsmasq advanced/custom options
  • Encode the detail field of an alias entry before displaying its contents back to the user
  • Encode interface/VIP descriptions before displaying them on the NTP daemon settings, and GIF/GRE interfaces
  • Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary
  • Shorten the wait at “reload” in startup wizard to 5 seconds from 60
  • Do not execute DNS lookups on GET, only pre-fill Host box so the user can press the button to execute
  • Turn alias creation links from DNS lookups into submit buttons for POST
  • Remove javascript alert DNS resolution action from the firewall log view. It was already removed from 2.2, and it’s better not to allow a GET action to perform that action
  • Require click-through POST confirmation when restoring or deleting a configuation from the backup history page
  • Avoid a “Cannot use string offset as an array” error if the packages section of the config is missing
  • Avoid generating an invalid IPsec (racoon) config if the user specified a mobile pool that is too small
  • IPsec phase 2 pinghost was not used if the source IP was a virtual IP address [#3798]
  • Move dhcp6c log to dhcpd.log [#3799]
  • Do not reset source and destination port range values when it’s an associated rule created by NAT port forward. [#3778]
  • Added filter.so to list of extensions loaded for filter_var() support.
  • The pfSense PHP module was setting the subnet mask of lo0 to /0, which could break some routes and cause other unintended routing side effects.
  • August Hang Out – Network Address Translation

    Our August hang out will be next Friday, August 15, at 13:00 US Central time. Join us for around an hour and a half of coverage of NAT, with time for questions to follow.

    NAT is among one of the most widely used features in pfSense and one we haven’t yet gone over in detail in a hang out. Topics covered will include the following.

    • How NAT functions in general terms, and specifically with pfSense
    • Uses of NAT – more than just connecting your private network to the Internet.
    • NAT’s interaction with firewall rules
    • Live configuration examples of redirection using port forwards, 1:1, and outbound NAT
    • Troubleshooting guidance

    Being tied up in the time-consuming materials preparation for our first pfSense University class last week, I unfortunately didn’t have time to adequately prepare for a hang out in July. We’ll make that up to you with an extra session in August or September, date to be determined.

    This is an exclusive benefit for our Gold subscribers. The link to join the session can be found after logging into your account in the members area.

    Thanks for your support, and look forward to having you there!

    Here is a preview of the hangout:

    Customer Support Engineer Position at pfSense

    Electric Sheep Fencing, the company behind the pfSense project, is expanding the service and support organization to meet increasing customer demand. As such, we’re looking for someone who can fill the role of a Customer Support Engineer. This role is ideally located in Austin, Texas, but can be modified to a remote/work-from-home role to accommodate a very qualified candidate outside of Austin.

    If you’re interested, please download the full job description

    No phone calls, please.

    Five Things to Know About pfSense

    (1) The pfSense store now sells hardware! Working with various manufacturers, we’ve put together a wide range of throughly-tested pfSense appliances that are bundled with 1-year of support. Go to the store for more information.

    (2) The pfSense team now does professional services. This includes penetration testing, CARP configuration, network design, conversion from your old firewall to pfSense, and systems/infrastructure install. Please see our professional services page for more information.

    (3) There’s only one place to get official pfSense Training. Our August class is full! Our next class is September 5-6 in Austin, Texas! Use coupon code BBC425FF for an instant $500 discount! Details are at pfSense University

    (4) pfSense Gold is our premium membership subscription program, designed to provide special benefits to our members while supporting ongoing development of the Open Source pfSense project. The membership is a great way to enhance your ownership of one of our appliances with access to the official pfSense book, monthly on-line meet-ups, and more! Get more info here!

    (5) Anyone purchasing a support-eligible product in the month of AUGUST will receive a coupon code for a FREE one year subscription to pfSense Gold (a $99.00 value). Eligible products include the VK-T40E pfSense® Firewall Hardware Appliance, C2758 1U pfSense® Firewall Hardware Appliance, and our latest offering, the FW-7551 pfSense® Firewall Hardware Appliance. Just e-mail your invoice from the store after purchase to help [at] pfSense [dot] org to request your code!

    Head on over to the pfSense store and get yours today.

    2.1.4 RELEASE Now Available

    2.1.4 follows very shortly after 2.1.3 and is primarily a security release. Refer to the 2.1.1 release notes, 2.1.2 release notes, and 2.1.3 release notes for other recent changes.

    Security Fixes

    Packages also had their own independent fixes and need updating. During the firmware update process the packages will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use.
    Read the rest of this entry »

    June 2014 Hang Out – Firewalls and Virtualization

    Our June 2014 hang out is Friday, June 27 at 13:00 US Central time. This month’s topic is firewalls and virtualization. This is an exclusive benefit for our Gold subscribers. Subscribers will find the meeting link after logging in to the members section. If you’re not yet a subscriber, sign up now and you’ll get immediate access. If you can’t make the live event, the video and audio recording and slides are available for members to download within a few hours of the session’s completion.

    As companies and individuals have virtualized their server infrastructures, they have also looked to virtualize their firewalls. This brings many questions to mind. Is it a good idea? Is it secure? How does it work? What are my options for configuration? Can I get adequate performance?

    pfSense Co-founder Chris Buechler will answer all these questions and more during June’s hang out.

    Attendees will come away with the knowledge of where virtualized firewalls may be a good fit, where they’re probably a bad idea, the potential security implications, knowledge of the various network configuration options available in hypervisors, options for handling high availability, and more. Both desktop-class and server-class products will be covered, including bhyve, Hyper-V, KVM, Parallels, VirtualBox, VMware (Workstation, Player, Fusion and ESX/ESXi), and Xen.

    Usage areas covered will include production systems, test and development environments, and fun but ugly hacks that can work temporarily if you’re in a bind.

    Here is a preview of the hangout: