Security vulnerabilities in FreeBSD

[MacToken]

Hi all,
there are currently some serious security vulnerabilities in FreeBSD, e.g. CVE-2024-43102 with rating: 10.0 CRITICAL.
Can anyone tell which OPNsense versions are affected? Thanks!

[Patrick M. Hausen]

As far as I can read from the security advisory all current supported versions of OPNsense are affected.

Please do take into consideration that "execution of malicious code" is not a common scenario on a dedicated firewall appliance. I see the risk for any OPNsense connected to the Internet as moderate at most. One would need to find another vulnerability that enables remote code execution first.

And even then the advisory reads:

A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can
panic the kernel or enable further Use-After-Free attacks, potentially
including code execution or Capsicum sandbox escape.

Relax, the CVE score system is not a valid indicator of actual risk. Probably will be patched in tomorrow's 24.7.4 ...

@franco?

[franco]

Yes, tomorrow.


Cheers,
Franco

[MacToken]

Hello,

yes, I am aware that different use cases offer different attack surfaces.
But it makes you feel uneasy when you read "that makes this one of the most dangerous vulnerabilities discovered in FreeBSD so far".

Thanks for your quick replies.

[Patrick M. Hausen]

"that makes this one of the most dangerous vulnerabilities discovered in FreeBSD so far".

Says who? There's nothing of that alarmist kind in the security advisory.

[franco]

At the moment we even have to weigh the benefits of shipping or leaving out FreeBSD security advisories in order to ensure stability. However important researchers and FreeBSD thinks the issue is it also needs to be grounded in reality and practicability, which adds more time to our process in making them available either way.


Cheers,
Franco

[JeGr]

"that makes this one of the most dangerous vulnerabilities discovered in FreeBSD so far".

Says who? There's nothing of that alarmist kind in the security advisory.

Jumping in quickly as I also have customers that are asking the same thing. The problem is this:

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2056

As CERT Bund / BSI issued a critical warning >=9, various companies, KRITIS etc. are required(!) to act in no more then 10 days and patch that holes. So they want to know IF and if they are how fast that can be patched, workarounded, mitigated or somehow be done with.
There's also the resolution that you as vendor say "there is no danger there, move along", but they need some kind of answer on how to proceed. I've also checked the bugs and would guess that most/all of them would need local users or code to exploit, so if the firewall itself offers no service, no users to login besides admins etc. there's no imminent danger, but in that case the customers need to cover their bases for the CERT advisory or they'd be held accountable for not patching, potentially loosing their insurance cover or have to pay fines.

So even when not that dangerous for our firewall use case, an advisory is needed

Cheers
\jens

[chemlud]

@JeGr, not you personally, but:

The tickbox idi*ts are taking over. Wow...

[Greg_E]

@JeGr, not you personally, but:

The tickbox idi*ts are taking over. Wow...

That was my thought too. These insurance and regulatory agencies know absolutely nothing about what the problem is, what the fix might be, or how serious the problem could be under specific conditions.

Did these same places give Yubikey a severity of 10 for the recent EM radiation exploit? How about the recent RAM EM attack or the very old power supply current attack to read out bits and the power supply and fan noise attack to again read out data.

[X] Cisco next gen firewall
[X] Endpoint protection by one of three companies
[  ] OS patches up to date - nope we don't need this (yes I have experience here that did end in an attack)

etc.

[chemlud]

@JeGr, not you personally, but:

The tickbox idi*ts are taking over. Wow...

That was my thought too. These insurance and regulatory agencies know absolutely nothing about what the problem is, what the fix might be, or how serious the problem could be under specific conditions.

Did these same places give Yubikey a severity of 10 for the recent EM radiation exploit? How about the recent RAM EM attack or the very old power supply current attack to read out bits and the power supply and fan noise attack to again read out data.

[X] Cisco next gen firewall
[X] Endpoint protection by one of three companies
[  ] OS patches up to date - nope we don't need this (yes I have experience here that did end in an attack)

etc.

...it's much, much worse

https://www.zdnet.de/88418007/zoom-erhaelt-it-sicherheitskennzeichen-des-bsi/

[JeGr]

@JeGr, not you personally, but:

The tickbox idi*ts are taking over. Wow...

No offense taken, I'm feeling it exactly the same way. We (Patrick and me) already talked about various cases in the usergroup meets and it really gets worse every time. And I (mostly) don't even blame our customers, because they often only have to fulfill these requirements - between a rock and a hard place - regardless of whether it makes sense or not. Just because someone higher up bought some insurance or they are even legally obligated to cater to those checklists. *sigh*