Is there a web site that shows known OPNsense security vulnerabilities?
Thank you
Frank
You can run a security scan on any OPNsense system under sytem -> firmware -> status -> run an audit -> Security. It will tell you the CVE's affecting your current system. For example mine gave me the follwing output:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html
ruby-2.7.4,1 is vulnerable:
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
CVE: CVE-2021-41817
WWW: https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html
rubygem-cgi -- buffer overrun in CGI.escape_html
CVE: CVE-2021-41816
WWW: https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
CVE: CVE-2021-41819
WWW: https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
4 problem(s) in 2 installed package(s) found.
***DONE***
Is this what you are looking for? :)
I think this is on the right track - It appears OPNsense.org is self-managing a publicly accessible database the firewall is referencing to determine what security issues exist on itself. - Right?
My guess (because I don't actually know) is that they just cross reference the installed packages with the publicly available CVE database and that they don't run a server themselves. But maybe someone else can enlighten us ;)
We just use the FreeBSD package vulnerability database via pkg-audit utility which matches against the installed packages. It's run by FreeBSD and tailored for their ports. Sometimes there are (human) errors in these reports, but overall it works really well.
Cheers,
Franco