tl;dr: If you’re having shell problems I feel bad for you son. I got 99 problems but bash ain’t one.
If you’ve not heard, Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.
NIST has assigned a CVSS of 10 CVE-2014-6271. POCs are starting to appear.
So the question becomes, “is pfSense® affected?”
The short answer is: Unlikely, though there are three packages which could lead to an exploit. The base system of pfSense does not include bash. Since bash isn’t on the system, the problem is reduced to packages.
Three packages are affected, and only one is commonly used. The affected packages are:
- Anyterm – This package contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package will simply be retired as it is unmaintained and rarely used. We will review all packages, and any which contain binaries which we have not built from source will be removed or re-engineered such that we can compile from source.
- Freeswitch-dev – Runs pkg_add for bash. This package is not actively maintained, and can likely be safely removed from the list of packages with minimal community impact.
- FreeRADIUS2 – Adds bash via pkg_add using FreeBSD’s 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We’re looking into the best way to fix it.
- Mailscanner – Includes bash also, will be fixed shortly.
Given the lack of impact to pfSense software version 2.1.5 or the pfSense 2.2-BETA images, no fix is required, so we don’t plan any release in response to this issue.
UPDATE: Affected packages have been updated or removed. Full details are in the security announcement which was posted this afternoon. -jimp