On Tue, 8 Apr 2014, Chris Frederick wrote: > On 04/08/14 10:13, Erik Anderson wrote: > >> It will be interesting to hear pfsense's response to this. I haven't >> seen anything from them yet. > > This is a very serious bug, and I would highly recommend disabling the > OpenVPN until pfSense sends out an update, which I'm guessing won't take > too long. If this was just a website, or smtp server or something, you > could probably get by longer. The script kiddie crowd will be after > them, maybe suffer some defacement or something. But the nature of VPN, > giving an external entity access to internal resources, this is where > the real attackers will be focusing on, and there's usually a lot more > risk involved when VPNs fail. It's probably better to suffer the > downtime and be safe, than have it working and risk a major breach. I found this info: https://forum.pfsense.org/index.php?topic=74902.msg408806#msg408806 Mike