On Apr 8, 2014, at 9:35 PM, Paul Mather <[email protected]> wrote:
> On Apr 8, 2014, at 3:04 PM, Jim Thompson <[email protected]> wrote: > >> >> Well, that’s the point, Paul. (You hit the nail on the head.) >> >> If you don’t have an openssl service exposed, the problem doesn’t affect you. >> >> Since normally the web GUI isn’t exposed to the WAN, the attack surface is >> minimised. > > The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the > Impact section: > > ===== > III. Impact > > An attacker who can send a specifically crafted packet to TLS server or client > with an established connection can reveal up to 64k of memory of the remote > system. Such memory might contain sensitive information, including key > material, protected content, etc. which could be directly useful, or might > be leveraged to obtain elevated privileges. [CVE-2014-0160] > > A local attacker might be able to snoop a signing process and might recover > the signing key from it. [CVE-2014-0076] > ===== > > I take that to read the vulnerability being exploitable both ways, i.e., a > malicious server could also attack a vulnerable client connecting to it via > SSL/TLS, making the attack surface potentially much larger. > > FWIW, the pre-advisory "heads-up" message from the FreeBSD Security Officer > appears to back this up. It included the following advice: > > ===== > Users who use TLS client and/or server are strongly advised to apply > updates immediately. > > Because of the nature of this issue, it's also recommended for system > administrators to consider revoking all of server certificate, client > certificate and keys that is used with these systems and invalidate > active authentication credentials with a forced passphrase change. > ===== Just as an followup and clarification to the above, the recent OpenSSL vulnerability Security Advisory actually covers two OpenSSL flaws. The "heartbleed" flaw only affects FreeBSD 10 in the base OS. All other supported FreeBSD releases are affected by the other flaw they describe (in the ECDSA Montgomery Ladder Approach implementation). I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Kudos to the pfSense team for beavering away and cranking out a fix! Cheers, Paul.
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
