I'm tired of getting hacked because I use this product

Comments

21 comments

  • Avatar
    Ryan Hopkins

    I cannot refute this logic. Patch. Always patch.

    4
    Comment actions Permalink
  • Avatar
    Ma Ar

    That's why I didn't understand the company's response about calling security patches "trends". Anyway, patching OpenSSL was no problem, but when I went to go update OpenSSH, there is a problem with finding the libraries by the compiler. It might actually be just an message output error, as other have have had success ignoring the error and had their make test eval turn out fine. I can try that on my own system, but I don't have enough certainty with the rest of the software packages that tons of fundamentals might end up being broken.

    Regardless, I brought this issue up about a year ago. Doesn't look like the company is working on those patches because the software packages are probably not scheduled for a native release on 18.04... That is a terrible idea too. Anyone else in the forum able to confirm any scripts I post?

    1
    Comment actions Permalink
  • Avatar
    Ma Ar

    So, upon looking into this device even further, I have discovered several more interesting pieces of information. (Maybe someone could verify these to make sure my device is not the only one operating like this.)

    • the device does not appear to boot using a secure boot method, which would expose it to tons of security vulnerabilities.
    • I get random clock resets and BIOS settings tend to get reset often. I took apart the device, and did not find a battery to keep BIOS settings (although I had trouble removing the main board, so could not look under it).
    • The dongle that is plugged into the usb port is actually a generic USB-bluetooth 4.0 dongle which could provide security vulnerabilities in itself. The dongle has nothing to do with a software license as stated by previous postings by the company.
    • The internal port is actually a mini-pcie expansion slot (which was previously denied by support personal. (I have actually put a 4G LTE expansion card in this slot and the drivers for the card were even automatically detected by linux.) I have no idea where this mini-USB idea comes from other than it being written on the device, but it would seem like this company has no idea what they are selling.
    1
    Comment actions Permalink
  • Avatar
    Christer Tysdal

    Thanks for sharing Ma Ar,

    I would love an comment from the Firewalla team.
    For my own part - I do respect that the company is in its early stages. However I would like some transparency to the decisions made by not focusing on these "issues". If that is the case. It's always hard to focusing on improving what you have and also prioritize new features. However - It is an security product marketed against the smb segment.

    2
    Comment actions Permalink
  • Avatar
    heath

    I’d love to hear more on this as well. They use Ubuntu 18.04 LTS as the base, so all of those packages are updated in the upstream repositories so it should just be a simple apt-get update on the box to update it. This should be automatic on any security device, and if they wanted to be able to test before deploying they just need to set up their own repo and configure apt to point to it vs mirrors.

    Comments about the internal components are also interesting but not really relevant. Opening and modifying the hardware voids your warranty. If you don’t care about that, do as you will with the hardware just don’t expect them to fix anything that breaks and don’t expect any updates to work on your modified hardware.

    4
    Comment actions Permalink
  • Avatar
    Rich T.

    Agree hearing from the development team would be great. I did see they are testing with Ubuntu 20, but that too will eventually have vulnerabilities if it doesn't already.

    To the OP, were any of the listed vulnerabilities exploited? The title makes it sound like you've been overrun by hackers.

    2
    Comment actions Permalink
  • Avatar
    Ryan Hopkins

    Upvoted all comments in an attempt to draw further attention to this thread. OP and fellow commenters are correct.

    @Firewalla - This thread has been live for over 3 weeks and there's been zero reply from the company. This is not an appropriate way to handle security concerns for a security device company. I'm considering buying another Firewall due to the lack of transparency as others have mentioned. Previously I myself inquired about the overall security of Firewalla users after the CCP takeover of Hong Kong, and the question was treated with silence as well.

    Valid questions are being posed about Firewalla's actual ability to manage newly found CVEs and patch them without prompting from the community. From a company stand point, that's reactionism. As a security company you should be well aware that being proactive is crucial. At present we haven't been seeing that from Firewalla which is clearly disturbing to the OP and commenters on this thread. 

    Please advise on your course of action to remedy the situation and provide a clear roadmap to the consistent patching of CVEs.

    2
    Comment actions Permalink
  • Avatar
    heath

    Just wanted to add to my earlier comments. 

    1) I haven’t noticed any clock resets or BIOS issues on my unit. It should be simple to determine if there is a backup battery as most BIOS will show the battery voltage on a screen. Note that this hardware is not custom built, it’s an existing unit that the Firewalla team found and is using.

    2) As to secure boot, I’m not really sure what you are looking for to be able to comment.

    I’m not making excuses for Firewalla here, just trying to help understand the issues and possible impacts. 

    1
    Comment actions Permalink
  • Avatar
    Andy brown

    https://help.firewalla.com/hc/en-us/articles/4406630307091-How-to-manually-upgrade-Linux-package-on-your-Firewalla-box

    This is a article about updates.

     They have released Ubuntu 20.04 that you flash yourself. There is a link somewhere.

     Not sure of many companies that are so customer driven and have responded as much in the forums as these have.  If you don’t like that they haven’t responded in a community forum in a timely manor, then move on. 

    0
    Comment actions Permalink
  • Avatar
    Christer Tysdal

    Hi Andy,

    Don't get me (us) wrong. We are all here, as we want this company and product to succeed.

    I have nothing but good experience with both the customer support and their willingness to implement feature requests. However, we have challenged the team with some questions they should be able to answer. Maybe a vulnerability workflow or a lifecycle map would be sufficient for now.

    0
    Comment actions Permalink
  • Avatar
    heath

    I agree with Christer.  This is marketed and sold as a security product.  If nothing else, they should be taking security of the platform as their top priority, without exception.

    And you are right, Andy, if we don’t like it we should move on.  That doesn’t do anyone any good in either the short or the long run, however.  The initial issues raised in this post were about updates to packages that have known vulnerabilities.  And while I appreciate that the Firewalla team has limited resources, they are using an established base Operating System that provides those packages and the updates for them.  It is not like they are being asked to research the vulnerability, develop the patch themselves, recompile the code, validate it and then distribute it.  The packages for these updates are already available in the repositories for the base O/S that they are leveraging.  That is one reason why they elected to use an LTS version of Ubuntu vs. a bleeding edge version.  Patches and updates are provided for a longer time.  There is no reason that the system can’t be configured to do auto-updates on these security packages. The Ubuntu/Debian package system is very robust when it comes to managing dependencies and holding packages back where other packages are dependent on a particular version.  In 99% of the cases, these updates are just to address security issues, and don’t affect the functionality or operation of the software.

    Ubuntu 18.04 LTS was released in April 2018 and reaches end of standard support in April 2023 (14 months from now).  20.04 LTS was released in April 2020 and reaches end of support in April 2025.

    I look forward to the 20.04 LTS upgrade getting to a more late-stage beta class offering where it’s not as intensive of an upgrade process with potential for loss of data or configuration.  I’ve done upgrades of Ubuntu 18.04 LTS to 20.04 LTS before and it was a fairly trivial process.  But these systems aren’t like a normal computer, where they are relying heavily on things like redis for managing configurations and settings and using complex startup scripts and things to dynamically create the normal system configuration files that are expected.

    1
    Comment actions Permalink
  • Avatar
    1980cyber

    Has anyone looked at the CVE's listed? I don't think these are even issues. For example, this one https://nvd.nist.gov/vuln/detail/CVE-2016-20012 ... there are others, even the source itself is debating, better anal is needed before submitting. Like @health said, I don't see the point of a secure boot is even related to this. I am happy with firewalla as is, and if I don't like it, I don't want them to lock me to their image, I want to boot linux or xxx off it if I want.

    @health, I don't think the battery is ever an issue. My raspberry pi doesn't have a battery and it works perfectly. NTP is more than enough to make me happy.

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    I was wondering the same thing as far as the listed CVE's, which is why I asked the OP if any had been exploited (terrible title if they have not). I'm not in security, but looked at a few, and something like  https://ubuntu.com/security/CVE-2020-15778 says status "ignored", so I assume "they" aren't fixing whatever was reported, so it wouldn't be something the Firewalla people could either. Maybe none of the ones listed have any chance of being exploited in these particular devices (that's my hope anyway), but as it is directly connected to the internet, I was hoping someone on the Firewalla team would chime in and just reassure those who have purchased that they look at the exploits and if any are above low probability they would be patched. 

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Quote from the Firewalla team:

    The Firewalla team maintains the core packages required by the Firewalla software. If updates are needed (security, bugs), we will push upgrades to fix them.

    Maybe they should publish in the update release notes what they patched. and to what version.  Not sure if this is already done or not.

    0
    Comment actions Permalink
  • Avatar
    heath

    @RichT - I think that would be great.  Just a CVE status page listing the CVEs that are applicable to the software running on the box and then a simple note on if it’s been fixed (and in which FW version( or if it’s not applicable).  That might go a long way to assuring customers of the seriousness of the Firewall team WRT security issues.

    And looking through what was originally posted, it’s just the 6 actual CVEs around OpenSSH.  All the other references are just pointers back to the CVEs.

    @Ma - why did you feel the need to post duplicates of the same thing multiple times?  It doesn’t help your cause by making the list look longer than it actually is, quite the opposite.  For CVEs that are disputed by the maintainer or marked as Ignored by the O/S provider (Ubuntu, in this case), there is nothing that Firewalla can do.  What were you hoping to achieve by posting those and berating the Firewalla team for not addressing it?

    1
    Comment actions Permalink
  • Avatar
    Ma Ar

    I did an exact copy paste from the vulnerability scanner results. I didn't notice any duplicates, but then again I didn't read through each one of the vulnerabilities. Which ones are duplicates?

    I had hoped for a secure firewall when I originally purchase the hardware. What I apparently got was a huge security hole that I paid money and voluntarily installed myself. Then after spending probably hundreds of hours reinstalling and configuring every computer attached to the network multiple times and asking for assistance, all I happened to get was criticism (by most likely employees/owners) that I am harassing the people that sold me a product by pointing out ways it weakened the security of my network. Multiple times I have gotten responses back regarding this topic on different forums that would seem to indicate to me that the entire operation is run by a marketing team that knows as much about technology as exactly what they were told. Any bad advice that they give (such as keeping old versions of software with known vulnerabilities because it was stable) is just never questioned by a group of supporters that think the company should continue being able to make additional money from a line of products they already have trouble supporting.

    What I actually expected to achieve? I hoped to point out a few times that have been blatant lies (misrepresentation) or complete and continued ignorance the company has of it's own product. Some of these false representations, such as spending money to have additional (not less) security for my devices prompted me to spend the extra money on the device after I had been considering similar passively cooled minipcs to build my own pfSense device that I could have gotten for cheaper and with better specs on AliExpress. But no, I get you. This company is the next tech giant that build its empire on its great tradition of customer service by offering people that know less than they do a false sense of security. None of the other tech companies fix all their security vulnerabilities. Why should this one? And why am I such an *** for not just shutting my mouth after being scammed?

    Probably has something to do with all the free time I have from COVID.

    0
    Comment actions Permalink
  • Avatar
    Ma Ar

    For others following this thread, I have been testing other software options to replace the software. Tested Sophos, who have a free home option I happened to encounter a "rare" bug in home version that had been reported like 5 years ago. The bug actually flipped the interface for the firewall from an internally controlled to externally controlled. After testing with a minimal installation that just ran through their Guided Install to setup initial configuration, and doing a restart after that was setup, I saw this happen for like the 4th time. Would not recommend.

    pfSense has been a lot more of a setup process. (Some my mistakes.) The logging and reporting that I have been able to observe has given me more clues about the attacks that are being executed against my hardware. I'm not running the Firewalla software currently, but I have been able to observe what others have reported as signs of Arp spoofing attacks on this device. (Which actually could explain the Sophos problem, as well). Arpwatch would be able to monitor this, but I'm not sure if it is included in firewalla software package. Arpwatch logs all the MAC addresses and changes on the network.The factor I found most weird about the way this is being implemented was the way that MAC addresses change usually by just 1 hex digit and I think mostly to a value that would be easily entered incorrectly by misreading someone's handwritting (think a (<---not this font though) being confused with a 9, and b switching to 6). The errors appear like human errors. Corruption would be much more random. Patterns are a sign deliberate modification. A pattern that has human deliberate human interpretation seems like a planned excuse or defense. Also, observation with Arpwatch shows the MAC address changing and then changing back on it's own.

    Not sure how common this might be, but didn't notice any signs in the logs when searching for causes while using firewalla (didn't know to look for that specifically before though). Hope this helps someone.

    0
    Comment actions Permalink
  • Avatar
    Ma Ar

    @Rich: How exactly would you determine which method was used to get into your network? For anyone with enough knowledge to exploit one of these vulnerabilities, cleaning up the traces of their entry would be piece of cake. Log entries can be line edited and if just lazy, a full log wipe is even faster (which I have seen blank logs that I know I checked a couple days prior). If I remember when I scanned a couple of these, many of the exploits listed seem to be targeted at OpenSSH. An upgrade to Ubuntu 20.04 would fix some, but there are issues with the version contained in standard package manager repos for 20.04. Personally was running Ubuntu 20.04 on a machine at home. There seems to be either waning support for Ubuntu at this date or package managers are focusing on the next LTS release. Ubuntu 21 is just broken so bad still (4 month after release!). Looking into becoming a package maintainer, but currently OpenSSL seems to be integrating some OpenSC functionality into the >3.0 standard. I'm not an IT person, so I don't know much about the deprecated portions to make or suggest major changes to the code that probably over half the web uses for encryption/authentication (this might be older news, as I haven't spent much time researching the subject (because I keep having to spend all my time reformatting and reinstalling my OS). I would say the major issue at hand would rather be development team for this project not building new software package from source and integrating those packages into updates. New updates are released all the time that don't get formally introduced to the Ubuntu 18.04 or 20.04 builds by package maintainers. This code needs to be built and tested and then compatibility tested with other dependant software then ideally stability tested. Being in my situation (where I already am aware of compromise) anything that I try to fix is not reliable as any generated PGP keys should already be considered insecure. There is a solution to this that is already built into the hardware, but this runs into the afforementioned planned OpenSC integration into OpenSSL. The upgrade to the hardware that would secure encryption to an enterprise/bank/military standard instead of no standard is a $20 sim card that would generate-on-card and store private encryption keys in a way that they aren't ever able to be extracted. This is why banks and cell phone carriers use this technology. A lot of newer hardware security devices are just one of these SIM cards built into a reader and disguised to not look like that is all it is. Apple seems to be headed towards removing this functionality from their phones and encouraging eSIMs, but they also have their own chip providing TPM functions that might surpass the standard SIMs. Most older SIMs in use only support up to RSA 2046 encryption keys, while RSA 3069 keys are now the recommended strength encryption. I believe what was once considered to take billions of years to crack is now possible at a state-sponsered level (which means in a few years it will probably be possible by a kid with a laptop). This is a major reason for Microsoft's TPM 2.0 requirement for WIndows 11. Consequently, there is little motivation for me to invest much time in providing a solution that will be outdated soon and that no one would even know enough about the problem to understand most of what I say. I had a conversation with an IT university major today that said I sounded like I was speaking a foreign language when I told him what I was working on today. I would think the people actually profiting off of these technologies should be investing in their R&D.

    TL;DR. Any hacker can erase their tracks. There is a way to fix, but not even the company that sells this stuff knows why that thing is there on the hardware they "make". I think they mentioned that removal would cost extra in a separate thread so they didn't get that functionality (that would actually secure their device) removed.

    Oh and people keep mentioning how "terrible" by breaking my warranty because I am by opening my device and seeing what was there. According to US law, the company has to prove that you damaged the device to void the warranty. (that would be very hard for any company to do, unless you literally spilled your drink in the device while upgrading the RAM) + my warranty expired already +I am also a certified technician (since A.D. 2000) +I do soldering board level repair and engineer new devices as a hobby.

    0
    Comment actions Permalink
  • Avatar
    heath

    I’m all for improving security, especially in the consumer space where most people don’t know or care enough to do it themselves.

    To answer one of your points, you posted a list of 14 items which are all the same 6 CVEs. Just look at the list and it’s pretty obvious which are the duplicates.

    F5?
    Gentoo?
    Huawei?

    Those are just vendor specific instances of the same thing and none of them have anything to do with the Firewalla.

    And as others have said, some of those CVEs are not being addressed at all by the OpenSSH team. Let alone Ubuntu or Firewalla.

    Are you exposing SSH to the Internet on the box? If not, then for it to be attacked you have to have a compromised device in your network.

    If you are more comfortable spending your time running a pfSense box, that is your choice. I used to do that back in the days before pfSense with ipchains and a custom built Linux server. But I would rather let someone else do the work these days.

    What scanner did you use to get that list of results? I find it odd that it is presenting results for operating systems that aren’t applicable to the box. It’s looks like it is basing it on banner scraping, which is historically inaccurate.

    As someone who does hardware work, create your own device and market and sell it. The underlying components are almost all open source.

    Don’t misunderstand me. I’m not giving them a pass for not responding. I’m just saying that you could have gone about it in a very different manner and potentially gotten better results. Just throwing a list of CVEs from a scanner and throwing around accusations of the devs completely ignoring things just makes you sound like someone with a grudge versus someone trying to push them to do better. You didn’t look ate the CVEs in any detail, you didn’t even look at the list to realize that over 1/2 were duplicates.

    3
    Comment actions Permalink
  • Avatar
    Rich T.

    Look, I don't know you, but you sound like a guy who:
    1) Wants to sound smarter than he is on the internet. 
    2)Someone who has the worst trait a security guy can have, the belief that "they" can do anything. (don't ask how).

    The vulnerabilities you posted here seem to be nonsense. The first 2 and CVE-2020-15778 appear to all be the same thing which is disputed by the vendor, and they say they intentionally omit the backtick, so ignore those and move on to the next one CVE-2016-20012 https://nvd.nist.gov/vuln/detail/CVE-2016-20012 
    Sounds ominous, but is it?

    Nope:
    https://www.cvedetails.com/cve/CVE-2016-20012/
    Note the "Gained Access: None" This is similar to other enumeration exploits, such as: 
    https://www.cvedetails.com/cve/CVE-2018-15473/
    If you want to see what the developers of something like this think of it as a security risk, read what one wrote about the above when they fixed it:
    https://www.openwall.com/lists/oss-security/2018/08/24/1

    So, how about this, pick out the absolute worst security hole that Firewalla leaves open, and explain how it could be exploited. If you can do that, without just throwing around catch phrases and telling stories, maybe there's something to what you are saying. If not, I'll assume you're a troll and stop listening. It doesn't need to be "here's proof, I just did this and exploited it" just "user with firewalla admin access clicks malicious link and downloads a payload, the payload does this..." Maybe all of us here and on the Firewalla team can learn something.

    8
    Comment actions Permalink
  • Avatar
    Matt Niswonger

    @Rich T. - I agree.  This sounds like a lot of hype over poor perception/understanding.  While I agree that security is very important and should be taken seriously, that doesn't mean that just because there is a CVE that there are active exploits for it or that it needs to be patched.  There are things that can be put into place to mitigate risk for many vulnerabilities and this is a common security practice in businesses where they have legacy products or assets.  I had docker containers that were vulnerable to log4j (actually went through several rounds of patching and a few are still) but since I use a reverse proxy and they're on an isolated network with no internet access, so what?  Is it a risk?  Sure.  Is it likely that someone is going to be able to exploit it?  No.  I did my due diligence.

    Many of the unpatched vulnerabilities I've seen on Firewalla when watching for CVEs in 18.04 and looking them up require shell access to exploit.  If a bad actor has shell access on the Firewalla they already have root so what's the point?  There were some RCE exploits that weren't applicable to Firewalla because the services were either not installed or not running.  There may have been some that require local access, but this is probably a good reason why people should take physical security seriously as well.  And I'd have to question if most people are really targets for local vulnerabilities being exploited anyway.  

    In my experience the Firewalla team has been very proactive with regards to security.  Even though they weren't affected by Log4j they put together some excellent documentation to mitigate risk and built a target list for known bad actors actively exploiting it.  And that was within a day or two of it being actively exploited as well.

    Here is said article for reference - https://help.firewalla.com/hc/en-us/articles/4412551036179-How-to-protect-your-network-from-log4j-exploit-CVE-2021-44228-

    2
    Comment actions Permalink

Please sign in to leave a comment.