Got to love pfsense
With “shocking” news about UPnP vulnerability from Rapid7, you kind of have to check your own system… As a long-time-supporter of opensource, it’s good to know that I’m safe for now. I’m also wondering why we always here about these shocking news, about XX millions of system affected. And when you actually start reading the whitepapers, 9 out of 10 times these are only applicable to old and outdated versions.. Do act with Due diligence care,
and for heaven sake, keep your system up to date!
From PFSense blog:
These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.
This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.