 Tom here for more systems and pfSense version 2.4.5 p1 has been released It's a point release and there's just a lot of a rat on bug updates I figure we'll talk about a few of them and I know other people kind of wait because this was Released on June 9th and here we are on June 15th And yes, I've been pushing these updates to clients and pushing them to many systems and so far It's gone really smooth. I haven't had any problems at all Of course follow the proper update procedures when doing this update the system before you update any packages But there are a couple things I want to talk about specifically related to security and Really good reasons you should update this before we dive into those details. Let's first You like to learn more about me or my company head over to Lawrence systems comm if you like to hire short project There's a hires button right at the top if you want to support this channel in other ways There's affiliate links down below to get you deals and discounts on products and services We talk about on this channel including a link to our patreon if you like become a patreon supporter We also have a swag store where you can get shirts and other items that are for sale and that changes from time to time What's available and what's not so go ahead and check that out frequently and finally our forums If you'd like to have a more in-depth discussion about this video suggestions for new videos or just reach out say hi and talk tech Our forums are a great place for that. All right now back to the content So here's the neck a blog post related to all the updates and here's the security around updates We'll talk about the basics Addressed issue with large pf tables causing system instability and high CPU usage during filter reload events on some multi CPU performance Platforms so hyper v proxmox, and I know I'd seen a few people talking about this where they had said their Virtualized install of pfSense was having a lot of trouble specifically I think I seen more people talking about it hyper v But maybe not as many people run it inside of proxmox We generally installed with our clients almost a hundred percent of the time bare metal and it's how we run it here So I didn't really see this issue, but they did fix it for those of you that were experiencing this issue Or maybe have pfSense in your lab set up like this Fixed an issue with ssh card which could prevent protecting against brute force logins some workarounds that were Ssh card. We're going to dive deeper into the unbound. That's the other ones The other stuff is all kind of a lot of little notable bug fixes and little issues Including for people that experiences when the internet went out essentially when there was lost connectivity on WAN The slow page reloads on the status pages that's been fixed as well on that dashboard page So that was definitely an annoying thing if you had experienced it where the internet would gotten it would take a long time To load, but let's dive into very specifically Well, we'll cover this one real quick if you didn't know the IP Firewall invail it and buff handling this was a free BSD problem Not a zero day, but it was a way that certain Packets could cause some problems and eventually cause it to believe it was a memory exhaustion right here Incomplete packet data validation may result in accessing out-of-bounds memories. So CVN there So they fixed this this was a fundamental free BSD problem So really anything based on free BSD that's using this could potentially a problem Access to out-of-bounds and buff data can lead to a kernel panic or other unpredictable results So you don't really want unpredictable results There's not any that I'm aware of known problems out in the wild It takes a very specific type of packet to get to this to create this issue So that has been addressed and updated now the bigger thing is this right here This is one that was an interesting piece of research called the NXNS attack and like so many good pieces of research It has its own website didn't get a logo though I wish it would have sprung for the logo, but it's an interesting DNS amplification attack and how you may be affected by this my support and it gets updated is interesting So it doesn't require someone to be on your network It requires that someone creates a domain with a really unique set of records DNS records So when unbound tries to resolve that domain It kind of gets stuck in a loop. So it's an interesting double amplification attack So instead of just getting the DNS records like a normal process Someone has to create this domain with male form records in its DNS So they need the domain they need DNS and needs you to click on it This can create kind of a problem now It just starts basically in amplification So it may run out of resources may cause the crash But it also requires a lot of people for example to click on a domain So one click is probably not going to do it It would probably take a bit more but you kind of get the idea that there's an issue here It's also one of those things that it would probably get filtered out relatively quick using any type of DNS filtering If you're using an upstream provider that does such things So finding these and attacking it and it's more of a nuisance But anything that starts as a nuisance that can crash an internal process eventually can lead to being a Much deeper problem in terms of you know, maybe there's a potential way They could find something that would crash and execute something right now. That is not the point This was put together by security researchers Not something found out in the wild being actively exploited because there is no exploiter payload at the moment But it all starts with finding the flaw and finding a way to amplify and it's been out a little while So this has now been patched and they were you know diving to well the researchers a little while ago They're diving into all the details around it Now this was kind of cool too because driver support for Intel wireless I talked about using Wi-Fi and PF cents and now they're adding us some more So it's good to see that that is being actively maintained and actively updated For those you that would like to run wireless on there. Like I said, I have a video on that topic. It's kind of a neat one It's something a little bit different now the last little thing I'll talk about is like the SG 1100 a people have asked me about running sericata or snort on those and I don't think they're all that powerful But they do have some bug fixes that kind of address issues with that running on there. So that is on the List here is the themes that are fixed but to me those are not the best devices for them I've always show people, you know, the most base device running that is I mean, it's capable of but it's not a great idea At least start with an SG 3100 or higher if you want to run sericata or snort on there Because you know processor power matters quite a bit, but that's it for the updates We've been pushing them out to clients. It didn't have any problems So I did it over the weekend and I'm here in the studio and not on-site repairing something that didn't boot So so far they've all gone. Well knock on wood table plastic whatever this is It is important that we get these patches out there. I do recommend this update I don't see any reason not to do it and I've always been puzzled especially with the People who just kind of you know never update their firewalls. It's probably a good idea Eventually there might be some bug in there So egregious that your too many versions behind it would be hard to update So do stay up with it do keep it up to date. It's relatively important waiting a couple days because you're nervous about it That's fine as always follow the procedures to a backup first. It's really not that hard to reload pf Sense it's actually pretty easy if it does crash Make sure you have the drive ready and you can reload it if you need to all right. Thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums dot Lawrence systems calm Where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time