 Tom here from Lauren systems that is December 12th of 2023. And according to bleeping computer, there's over 1,450 publicly exposed PF senses that are vulnerable to a remote code execution attack provided you chain some bugs together. Also provided that you've publicly exposed your interface and also provided that someone has a valid user to log in as I want to talk about how I look at the news, how I decipher these things in the news. So you can do this quickly as well. So the two long didn't watch if your systems patch and use the patches in PF sense, or you updated your system to the latest version. This particular bug set is been fixed and it was addressed rather quickly. It was addressed within 48 hours, but bleeping computers seems to have omitted that, but it wasn't hard to find. And I didn't have to have some insider knowledge. It turns out I just clicked the link inside of bleeping computers, Lincoln. Let's talk about the why and the behind the news of how these stories come to be, how that news came to be, how you can look at this more objectively as well. So you can understand it the way I do all the links that we talked about are listed down below. So let's get started. Are you an individual or forward thinking company looking for expert assistance with network engineering, storage or virtualization projects? Perhaps you're an internal IT team seeking help to practically manage, monitor or secure your systems. We offer comprehensive consulting services tailored to meet your specific project needs. Whether you require fully managed or co-managed IT services, our experienced team is ready to step in and help. We specialize in supporting businesses that need IT administration or IT team seeking an extra layer of support to enhance their operations. To learn more about any of our services, head over to our website and fill out the hire us form at lorenzsystems.com. Let us start crafting the perfect IT solution for you. If you want to show some extra love for our channel, check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we've discussed on this channel. With the ad read out of the way, let's get you back to the content that you really came here for. Now, we'll start here at the bleeping computer article. And if you didn't know this bleeping computer is a new site, not security research site, but they post a lot of good articles and sometimes in this one, they buried the lead a little bit, didn't give you some of the details. Let's jump right over to sonar source. These are the people with the details. Now, let's start with motive. Why would someone take the time to do security research on PF sense? Well, that's because it's really popular. And sonar is got a product here that does code auditing, awesome, explore pricing right here at the top. So publishing a popular article, getting it listed in bleeping computers, a success story for marketing because they would like you to buy this product and a publish this on December 11th. And I actually really think this is cool. They did a great job. I love good security write ups. I've cited many companies that do these type of write ups and they talk about how their product went through and found the problem and found all these little bugs. And the thing that are really important to remember, and it's all disclosed in here very clearly, although this is a lot longer than the bleeping computer article, it does let you know that it does require a authenticated user and they talk about methods to get authenticated user access. And of course, this requires it to be publicly exposed to the internet, to be a remote code execution from an external source. And let's jump down here, though, to the part that matters because this was responsibly disclosed by the people at sonar to the people at netgate who maintain PF sense. So on 73, the day before the 4th of July holiday here in the United States, we report all issues to netgate the day after the 4th of July. Netgate acknowledges all issues and fixes them. So we clearly from the security researchers, not from bleeping computer, we have the timeline well established here that this was all done very quickly. Now, this is done via the patches system. I've talked about this before and the patch system is great. I use it. It's available on both your PF sense CE community edition and your PF sense plus. And this is a way for netgate to make minor code changes without having to do a full upgrade. And those patches sometimes can even be applied without rebooting. Watch my video on it. You'll find link down below. It takes a while before all these advisories become public because well, as much as I tell you to patch everything, we already know the reality is people don't patch things and there's lots of old things running. So you take a while before you publish these advisories publicly. That's why actually this wasn't released till December 11th over on the sonar site here, which of course led to the December 12th of 2023 bleeping computer article to erase some awareness of it. And we already had patches for both the netgate releases of 2309.1 and the 271.1. All these have been fixed in those updated releases of PF sense and more things besides those have been fixed. That's why those other release updates were done and you'll find that video link down below. But this is a quick way you can run through the news and kind of understand issues that were at hand here and how the news may omit some of them like that simple thing that you find at the bottom, which is very normal for security researchers to give you a timeline of this. And I've talked about before and complained and used the timeline done by security researchers to talk about how companies don't patch things fast. But to me, 48 hours seems pretty reasonable and also point out their little summary at the end here. And it's basically a fair bragging point. Their software did find these bugs and says sonar cloud can help developers keep their co-claim by finding injection out of our abilities all before vulnerabilities make it into production. So this is, you know, an advertisement, if you will. It is security research that did find some legitimate bugs, but it's also essentially a product showcase to show the power of their sonar thing. And by the way, they have no relationship or sponsorship with me. I'm actually going to give them a shout out here for freaks. I know this video will probably get a few views. So hey, pretty cool that companies make software like this. Now, I generally like the articles on bleeping computer. I've shared quite a few of them, but I'll admit this one not so great. I use the links that they provided to the security research to contradict their article on how fast PF sense patched. It's a big miss to me, but I get it. They want to have a sensational headline and someone fixes something that was disclosed within 48 hours of it being disclosed seems like a boring headline to me and probably wouldn't have caused it to be shared in my forums, the netgate forums, people tagging me on Twitter in it. I mean, it definitely got some shares and it also shows me a lot of people don't bother to read the research. That's why I said read the research, scroll down the bottom. You don't have to know every technical detail, but well, that one's actually well explained. And I don't think it was too hard of a read and just jumping down to the bottom answer of the immediate question of, oh, they did fix it really fast. Love hearing from all of you. Share your opinions on this. Let me know if you think netgate still on top of security or they're not my opinion as they are. But hey, maybe you have a contradicting opinion. Leave that down below or head over to my forums for a more in depth discussion on this topic where you'll also find the bleeping computer posted and me answering the questionnaire. And I'll also post this video there. Like and subscribe to see more content for my channel and connect me over on the socials from LawrenceSystems.com. All right, and thanks.