OPNsense Security vulnerabilities site

Started by fsebera, January 11, 2022, 05:35:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 11, 2022, 05:35:27 PM

Is there a web site that shows known OPNsense security vulnerabilities?

Thank you
Frank
January 11, 2022, 05:58:11 PM #1
You can run a security scan on any OPNsense system under sytem -> firmware -> status -> run an audit -> Security. It will tell you the CVE's affecting your current system. For example mine gave me the follwing output:

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
  NSS -- Memory corruption
  CVE: CVE-2021-43527
  WWW: https://vuxml.freebsd.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html

ruby-2.7.4,1 is vulnerable:
  rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
  CVE: CVE-2021-41817
  WWW: https://vuxml.freebsd.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html

  rubygem-cgi -- buffer overrun in CGI.escape_html
  CVE: CVE-2021-41816
  WWW: https://vuxml.freebsd.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html

  rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
  CVE: CVE-2021-41819
  WWW: https://vuxml.freebsd.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html

4 problem(s) in 2 installed package(s) found.
***DONE***

Is this what you are looking for? :)
January 11, 2022, 06:17:16 PM #2
 
I think this is on the right track - It appears OPNsense.org is self-managing a publicly accessible database the firewall is referencing to determine what security issues exist on itself. - Right?

January 11, 2022, 06:52:36 PM #3
My guess (because I don't actually know) is that they just cross reference the installed packages with the publicly available CVE database and that they don't run a server themselves. But maybe someone else can enlighten us ;)
January 11, 2022, 08:04:46 PM #4
We just use the FreeBSD package vulnerability database via pkg-audit utility which matches against the installed packages. It's run by FreeBSD and tailored for their ports. Sometimes there are (human) errors in these reports, but overall it works really well.


Cheers,
Franco
Print
Go Up Pages1
User actions