On Apr 8, 2014, at 3:04 PM, Jim Thompson <j...@smallworks.com> wrote:
>
> Well, that’s the point, Paul. (You hit the nail on the head.)
>
> If you don’t have an openssl service exposed, the problem doesn’t affect you.
>
> Since normally the web GUI isn’t exposed to the WAN, the attack surface is
> minimised.
The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the
Impact section:
=====
III. Impact
An attacker who can send a specifically crafted packet to TLS server or client
with an established connection can reveal up to 64k of memory of the remote
system. Such memory might contain sensitive information, including key
material, protected content, etc. which could be directly useful, or might
be leveraged to obtain elevated privileges. [CVE-2014-0160]
A local attacker might be able to snoop a signing process and might recover
the signing key from it. [CVE-2014-0076]
=====
I take that to read the vulnerability being exploitable both ways, i.e., a
malicious server could also attack a vulnerable client connecting to it via
SSL/TLS, making the attack surface potentially much larger.
FWIW, the pre-advisory "heads-up" message from the FreeBSD Security Officer
appears to back this up. It included the following advice:
=====
Users who use TLS client and/or server are strongly advised to apply
updates immediately.
Because of the nature of this issue, it's also recommended for system
administrators to consider revoking all of server certificate, client
certificate and keys that is used with these systems and invalidate
active authentication credentials with a forced passphrase change.
=====
Cheers,
Paul.
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
