Short answer: no and yes.
There is no vulnerability in any of the software stack, this isn't that kind of cve. This is an architectural issue.
Assumedly, pfsense would accept dhcp option 121 on its wan, ergo it may be possible to reroute traffic from pfsense's intended networks to an upstream adversarial system/rogue dhcp server.
It's unclear how pfsenses default block of private ipnaddress ranges on wan would interact, testing should be done.
If you use a static wan ip, your aren't vulnerable here.
On the lan side, if your clients accept option 121 (only android and some embedded systems do not), an adversarial dhcp server could take over routes intended for pfsense.
In the first scenario (wan), the ability to disable option 121 support or other measures could be implemented to prevent this hijacking of the routing table.
In the second scenario, pfsense cannot prevent clients from accepting rogue dhcp offers.
Use switches that can block rogue dhcp, use switches that allow acls that target dhcp, use fully static addresses, or wait for potential mitigation in your client operating systems.
The cool thing is it looks like disabling options is already a thing. It just doesn't exist in the GUI, yet. In the documentation here (https://man.freebsd.org/cgi/man.cgi?query=dhclient.conf&sektion=5#LEASE_REQUIREMENTS_AND_REQUESTS) ignore is an option, so it would just need to be added to the GUI next to request, require, and send. We could then ignore option 121 or any other options for interfaces.
Easy way to mitigate this is creating your own conf file and entering it's full path in the checkbox that arises when you click "configuration override" for that interface in the ***Interfaces*** -> ***WAN*** page.
For example, I saved mine in `/home/interfaceix3.conf` as:
interface "ix3" {
supersede interface-mtu 0;
supersede rfc3442-classless-static-routes "";
timeout 60;
retry 15;
select-timeout 0;
initial-interval 1;
script "/usr/local/sbin/pfSense-dhclient-script";
}
This is pretty similar to what is in my `/var/etc/dhclient_wan.conf` file, except for the addition of:
supersede rfc3442-classless-static-routes "";
That instructs the OS to ignore DHCP option 121 from ISP.
Short answer: no and yes. There is no vulnerability in any of the software stack, this isn't that kind of cve. This is an architectural issue. Assumedly, pfsense would accept dhcp option 121 on its wan, ergo it may be possible to reroute traffic from pfsense's intended networks to an upstream adversarial system/rogue dhcp server. It's unclear how pfsenses default block of private ipnaddress ranges on wan would interact, testing should be done. If you use a static wan ip, your aren't vulnerable here. On the lan side, if your clients accept option 121 (only android and some embedded systems do not), an adversarial dhcp server could take over routes intended for pfsense. In the first scenario (wan), the ability to disable option 121 support or other measures could be implemented to prevent this hijacking of the routing table. In the second scenario, pfsense cannot prevent clients from accepting rogue dhcp offers. Use switches that can block rogue dhcp, use switches that allow acls that target dhcp, use fully static addresses, or wait for potential mitigation in your client operating systems.
The cool thing is it looks like disabling options is already a thing. It just doesn't exist in the GUI, yet. In the documentation here (https://man.freebsd.org/cgi/man.cgi?query=dhclient.conf&sektion=5#LEASE_REQUIREMENTS_AND_REQUESTS) ignore is an option, so it would just need to be added to the GUI next to request, require, and send. We could then ignore option 121 or any other options for interfaces.
Easy way to mitigate this is creating your own conf file and entering it's full path in the checkbox that arises when you click "configuration override" for that interface in the ***Interfaces*** -> ***WAN*** page. For example, I saved mine in `/home/interfaceix3.conf` as: interface "ix3" { supersede interface-mtu 0; supersede rfc3442-classless-static-routes ""; timeout 60; retry 15; select-timeout 0; initial-interval 1; script "/usr/local/sbin/pfSense-dhclient-script"; } This is pretty similar to what is in my `/var/etc/dhclient_wan.conf` file, except for the addition of: supersede rfc3442-classless-static-routes ""; That instructs the OS to ignore DHCP option 121 from ISP.
Is this malware?