A recent article https://www.bleepingcomputer.com/news/security/over-1-450-pfsense-servers-exposed-to-rce-attacks-via-bug-chain/ shows that there are issues with pfSense 2.7.0 – specifically, it was remote code execution vulnerabilities that had been discovered some time ago. I run pfSense to protect my home networks. I checked my virtual firewalls were currently on 2.7.0, but then I saw this on the Update screen.
pfSense is supposed to be able to update on command, but obviously it wasn’t giving me any updates as it was supposed to even though the current Stable Release was showing up. I checked my backup firewall, and the same thing was happening on that one.
I run two firewalls in parallel so that I can update one of them, then swap over when I need to and then update the other one. After doing a bit of Google’ing, I found a reddit where someone mentioned that running a “certctl rehash” command fixed it for them. Netgate documentation shows that this may be needed if there are issues fetching packages.
As this is unlikely to break anything, I thought I would try this.
After running this command, I went back to check updates.
This command appears to have fixed update problem, and I can now see that 2.7.2 is showing for me to confirm the update.
Now that the backup firewall is up to date, I can run it on the main firewall. Unfortunately, after the main firewall update ran, I saw an issue on the console that /etc/rc.initial wasn’t found. It should be showing a console menu like this:
The other thing I found was that the dashboard was still showing that it was on 2.7.0, but the update screen said it was currently on 2.7.2 – hence, it appears that the update somehow didn’t complete. Anyway, the backup firewall was still running, so I tried rebooting the main firewall – it came up but didn’t get a wan ip address, and also the lan interface wasn’t pinging – so something is definitely amiss with it.
No matter, I can just power it down and install a new virtual firewall with the current pfSenses 2.7.2 which I did the following morning. Once the appropriate settings were made – I was back in business with a new backup firewall. The broken firewall – I could either try further troubleshooting which might not be very productive, or just install 2.7.2 over the top.
I could also install another virtual firewall which is based on OPNsense. I have been testing OPNsense over the past year in my lab and appears stable. Anyway, that is all for now. Another Refresh.IT of pfSense.
R.IT 