High CVE Patching

Started by TotalGriffLock, March 12, 2025, 10:41:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 12, 2025, 10:41:55 AM Last Edit: March 12, 2025, 10:55:24 AM by TotalGriffLock
We run an environment with several business edition Deciso hardware OPNsense firewalls. There are strong compliance and vulnerability requirements in the environment, as it is CNI adjacent. SLA requires vulnerabilities to be mitigated or patched within days not weeks, which goes against the patching ethos of business edition.

At the time of writing, there is CVE-2025-26466 affecting OpenSSH < 9.9p2 and CVE-2025-27516 affecting Jinja2. Is there a (supported?) way the updated versions of these packages can be pulled and installed to satisfy my SLA requirements around timely remediation of vulnerabilities? SSH just comes from ports (I think?) so I think that could be trivial, not so sure about Jinja2. The exposure is obviously reduced as these services are not exposed anywhere other than an internal management network, but that doesn't stop the vulnerability scanner sending big red warnings to the security team...
March 12, 2025, 12:13:47 PM #1
CVE-2025-27516 affecting Jinja2 was fixed in community yesterday and isn't much older than that if at all exploitable. I already planned to hotfix business, but we also need to ensure that these things don't cause regressions first. But also:

plugins % git grep '|[^a-z]*attr' */*/src/opnsense/service/templates | wc -l
       0

core % git grep '|[^a-z]*attr' src/opnsense/service/templates | wc -l
       0

For CVE-2025-26466 it's a bit different. Medium score and DoS warrant patching and I agree it needs patching in the next release, though that's also where it would be patched at the latest anyway.  By default SSH is not exposed and you can even use IPS or firewall to rate limit.


Cheers,
Franco
March 12, 2025, 12:39:59 PM #2
Vulnerability scanners are blunt instruments, and context always matters. Your security team should adjust for that.

Based on your description, you already had the mitigations in place before either vulnerability was announced.

Priority wise, should you actually have an attacker on the management network there is an argument to be made that higher value targets exist there. Bringing down a bunch of FWs would hardly be a financially rewarding endeavour.
March 12, 2025, 01:28:40 PM #3
Quote from: newsense on March 12, 2025, 12:39:59 PMVulnerability scanners are blunt instruments, and context always matters. Your security team should adjust for that.

Based on your description, you already had the mitigations in place before either vulnerability was announced.

Priority wise, should you actually have an attacker on the management network there is an argument to be made that higher value targets exist there. Bringing down a bunch of FWs would hardly be a financially rewarding endeavour.

Yes, I am part of the security team :) The issue I am trying to resolve is really one of upward management, because reports from vulnerability scanners go directly to the customer in this environment which results in pressure. That is not an OPNsense problem though so wasn't going to go through all that detail on here, it is a customer management issue. Of course several technical mitigations are in place that significantly reduce the exposure.
March 12, 2025, 01:29:54 PM #4
Quote from: franco on March 12, 2025, 12:13:47 PMCVE-2025-27516 affecting Jinja2 was fixed in community yesterday and isn't much older than that if at all exploitable. I already planned to hotfix business, but we also need to ensure that these things don't cause regressions first. But also:

plugins % git grep '|[^a-z]*attr' */*/src/opnsense/service/templates | wc -l
       0

core % git grep '|[^a-z]*attr' src/opnsense/service/templates | wc -l
       0

For CVE-2025-26466 it's a bit different. Medium score and DoS warrant patching and I agree it needs patching in the next release, though that's also where it would be patched at the latest anyway.  By default SSH is not exposed and you can even use IPS or firewall to rate limit.


Cheers,
Franco

Thank you Franco, that is very useful ammunition for me to go back with around Jinja2. Is there a way to pull the latest ssh package from ports while leaving the rest of opnsense alone?
March 12, 2025, 01:50:24 PM #5
You can try to install the community version, but I haven't tested it:

# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/latest/All/openssh-portable-9.9.p2_1,1.pkg

I'll get the business up to speed tomorrow from the looks of it just to be sure.


Cheers,
Franco
March 13, 2025, 03:20:35 PM #6
March 14, 2025, 10:19:18 AM #7 Last Edit: March 14, 2025, 10:22:17 AM by DEC670airp414user
Quote from: franco on March 13, 2025, 03:20:35 PMDone: https://forum.opnsense.org/index.php?topic=45616.msg232141#msg232141

updated.   did not reboot
unbound stopped and stopped reporting blocklists.  in fact it showed wiped out (thats a first for me)
i restarted the service and all was well again.

i believe ill set opnsense to reboot upon successful updates going forward as i did not reboot.
March 14, 2025, 11:12:49 AM #8
> unbound stopped and stopped reporting blocklists.

Looks coincidental to me.


Cheers,
Franco
Print
Go Up Pages1
User actions