Information and network security solutions that claim to protect businesses from bad actors on the Internet is big business. Unfortunately, many of those vendors sell promises of mitigation based on fear. The best way to understand how you are actually being protected is to audit the security software being used. An independent code review is one of the most fundamental and significant steps that occurs during the software development process.

In 2016, Netgate engaged with Infosec Global, an independent, third-party firm with over 150 years of collective experience in the security and IT industry, to conduct a top to bottom, post-commit audit of pfSense® software version 2.3.2. A post-commit audit is where the source code is reviewed after being committed to the codebase and may already be used in production environments. Any bugs that are identified or vulnerabilities found during the code review are patched and recommitted to the codebase.

Conducting an independent code review dramatically helps improve the quality of the product. Netgate is dedicated to responding effectively to new threat advisories and mitigating any associated concerns immediately through a transparent, rapid release process to our customers around the world. Previous examples of this include, but are not limited to: CVE-2014-6271 “Shellshock” and CVE-2014-0160 “Heartbleed” from 2014. Netgate engineers analyzed, patched, tested and deployed a new version in 48 hours while other major vendors took weeks to issue updates for their products.

For this project, Netgate provided Infosec Global with the Netgate XG-2758 1U Security Gateway Appliance with pfSense software version 2.3.2 installed with a default production configuration and the source code included the commercial features which are not included in the community edition as the target for this engagement. The software provided for the purpose of this audit is only available pre-installed on pfSense security appliances from Netgate.

This project was managed by Technical Director Ahmed Techini and Security Engineers Paul Lam and Daniele Bastianello. ISG employed both automated and manual code review approaches to conduct the source code review, as outlined in the final report. All evaluation activities were conducted in the ISG Globus Cyber Assurance facility based in Ottawa between early September to mid-October 2016 with an addendum based on previously-mitigated items issued in December 2016.

“The overall opinion of the engagement team is that the Netgate XG-2758-1U pfSense security appliance is a well designed, robust and secure security appliance with a large community behind it making this product an easy choice to recommend for businesses of any size.”

Infosec Global scores threats on a bottom-up percentage scale, with 0% being a perfect score and 100% being most critical. As indicated in the audit report, pfSense 2.3.2 scored an outstanding 1%, which included concerns that were mitigated during the audit process with the release of pfSense software version 2.3.2_p1, or that were raised but do not apply to the firmware reviewed.

At the time of the report, there were no outstanding CVEs associated with the deployed version of pfSense provided by Netgate.

Between the time the aforementioned software was provided and this security report was finalized, Netgate released pfSense version 2.3.2_p1 which addressed several of the issues mentioned in the report (see addendum). Other topics listed in the report which warrant comment include:

7.3.2.1 bzip2 1.0.6 CVE-2016-3189 pfSense has no features that utilize this function. Other vendor comments regarding the lack of severity of this CVE can be found at https://bugzilla.redhat.com/show_bug.cgi?id=1319648

7.3.2.5 Readline 5.2 CVE-2014-2524 Issue has been addressed in pfSense 2.4 with readline 6.3.8. pfSense 2.3.x uses readline from FreeBSD base which is GNU readline 5.2. The affected function is in a debug/trace area of readline and only used internally in readline and is not relevant to pfSense . Other vendors did not deem it worthy of a response (See https://access.redhat.com/security/cve/cve-2014-2524 ). This will not be addressed in pfSense 2.3.x.

7.3.2.3 OpenSSL FreeBSD maintains its own patches for OpenSSL, so relying on the OpenSSL version number alone is not accurate when considering which vulnerabilities affect a specific FreeBSD version. CVE-2016-6306, CVE-2016-6304 Addressed by FreeBSD-SA-16:26, fixed in FreeBSD 10.3-RELEASE-p9 https://www.freebsd.org/security/advisories/FreeBSD-SA-16:26.openssl.asc pfSense 2.3.2-p1 is built against 10.3-RELEASE-p9, so it and later versions are not vulnerable. CVE-2016-2176, CVE-2016-2109, CVE-2016-2107, CVE-2016-2106, CVE-2016-2105 Addressed by FreeBSD-SA-16:17, fixed in FreeBSD 10.3-RELEASE-p2 https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc pfSense 2.3.1 was built against 10.3-RELEASE-p3, so it and later versions are not vulnerable.



Other mitigations:

7.3.2.2 cURL 7.49.1 – Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1

– Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1 7.3.2.4 Libxml2 2.9.3 – Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1

– Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1 7.3.2.6 PHP 5.6.23 – Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1

– Already upgraded to non-vulnerable versions on >= pfSense 2.3.2p1 7.3.2.7 Simplepie 1.3.1 – Upgraded on pfSense 2.3.3/2.4

Download the Report

About InfoSec Global Inc.

InfoSec Global develops innovative cybersecurity software and solutions for enterprise and government. Our Globus™ product line includes Crypto and Multi-Crypto, Network Protection and Cyber Assurance. Our team consists of renowned experts, the world’s best cryptographers, inventors of the foundations of Internet security, and global leaders at the leading edge of cyber security. We empower customers with security solutions they control for highly complex regulatory environments. With offices in Canada, Switzerland and the United States, we’re equipped to meet trust needs, compliance requirements and get results. To learn more, visit www.infosecglobal.com

About Netgate

Netgate is a leading networking and security company and the home of pfSense; the world’s most popular open-source Firewall/Router/VPN platform. Our expertise in networking and security, combined with Intel-powered networking technologies, enables us to deliver to businesses of all sizes next-generation networking appliances, platforms and intelligent security solutions from the edge to the cloud. Netgate is shaping the future of high-performance secure communication. Secure networks start here.™ Visit www.netgate.com for more information.