OPNsense Security vulnerabilities site

[fsebera]

Is there a web site that shows known OPNsense security vulnerabilities?

Thank you
Frank

[joeyboon]

You can run a security scan on any OPNsense system under sytem -> firmware -> status -> run an audit -> Security. It will tell you the CVE's affecting your current system. For example mine gave me the follwing output:

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
  NSS -- Memory corruption
  CVE: CVE-2021-43527
  WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html

ruby-2.7.4,1 is vulnerable:
  rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
  CVE: CVE-2021-41817
  WWW: https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html

  rubygem-cgi -- buffer overrun in CGI.escape_html
  CVE: CVE-2021-41816
  WWW: https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html

  rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
  CVE: CVE-2021-41819
  WWW: https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html

4 problem(s) in 2 installed package(s) found.
***DONE***

Is this what you are looking for?

[fsebera]

 
I think this is on the right track - It appears OPNsense.org is self-managing a publicly accessible database the firewall is referencing to determine what security issues exist on itself. - Right?

[joeyboon]

My guess (because I don't actually know) is that they just cross reference the installed packages with the publicly available CVE database and that they don't run a server themselves. But maybe someone else can enlighten us

[franco]

We just use the FreeBSD package vulnerability database via pkg-audit utility which matches against the installed packages. It's run by FreeBSD and tailored for their ports. Sometimes there are (human) errors in these reports, but overall it works really well.


Cheers,
Franco