On 9/18/2014 8:55 AM, Martin Fuchs wrote: > Does CVE-2004-0230 affect pfSense 2.1.5 ?
As Vick mentions, practically the answer is 'no'. There are some rare cases when it might, however. It would require: 1. Disabled pf (System > Advanced, Firewall/NAT tab, check "Disable all packet filtering") 1a. Or the default rules were replaced by interface and floating rules in every direction set to 'no state' 2. The firewall is still reachable by the attacker 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g. local services such as the GUI, packages such as haproxy or squid, etc, *NOT* WAN-to-LAN or LAN-to-DMZ type connections. If all of the above are true then it may be susceptible to the attack described in the FreeBSD SA. I don't think I have ever witnessed a setup that met all of those criteria, and even those that could meet the criteria wouldn't necessarily have long-lived connections for which such a TCP session reset would have any meaningful impact. We will have the fix in 2.2 but I'm not sure if there will be another 2.1.x release at this time, but we'll see what happens. Jim _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
