Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Both SAs affect pfSense 2.1 and 2.1.1. Heartbleed is an issue because OpenSSL version 1.0.1f is used for software that is not part of FreeBSD 8.3-RELEASE (i.e. things found in /usr/local) in addition to the version without the Heartbleed issue, which is part of FreeBSD 8.3-RELEASE Both issues are being corrected via pending release of pfSense 2.1.2, as well as a near future rev for the pfSense 2.2 snapshots. -- Jim On Apr 8, 2014, at 21:05, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimised. The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the Impact section: = III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] = I take that to read the vulnerability being exploitable both ways, i.e., a malicious server could also attack a vulnerable client connecting to it via SSL/TLS, making the attack surface potentially much larger. FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer appears to back this up. It included the following advice: = Users who use TLS client and/or server are strongly advised to apply updates immediately. Because of the nature of this issue, it's also recommended for system administrators to consider revoking all of server certificate, client certificate and keys that is used with these systems and invalidate active authentication credentials with a forced passphrase change. = Just as an followup and clarification to the above, the recent OpenSSL vulnerability Security Advisory actually covers two OpenSSL flaws. The heartbleed flaw only affects FreeBSD 10 in the base OS. All other supported FreeBSD releases are affected by the other flaw they describe (in the ECDSA Montgomery Ladder Approach implementation). I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Kudos to the pfSense team for beavering away and cranking out a fix! Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
snip hi all, any news? my routers feel exposed :-) god bless pfsense. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
There was a post to the list at 0400 central US today that 2.1.2 was up but then he pulled it. I haven’t heard anything since then. You could turn off SSL or ust not use it for the time being from anywhere you don’t trust the system - if they don’t see traffic to the firewall they cannot snoop your information. On Apr 9, 2014, at 3:40 PM, mayak ma...@australsat.com wrote: snip hi all, any news? my routers feel exposed :-) god bless pfsense. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
2.1.2 wasn’t “UP”. Chris cut a version of something he called “2.1.2” that he indicated *might* become 2.1.2, but it was incomplete. So I asked him to pull it back down. Jim On Apr 9, 2014, at 4:59 PM, Ryan Coleman ryanjc...@me.com wrote: There was a post to the list at 0400 central US today that 2.1.2 was up but then he pulled it. I haven’t heard anything since then. You could turn off SSL or ust not use it for the time being from anywhere you don’t trust the system - if they don’t see traffic to the firewall they cannot snoop your information. On Apr 9, 2014, at 3:40 PM, mayak ma...@australsat.com wrote: snip hi all, any news? my routers feel exposed :-) god bless pfsense. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] The Heartbleed Bug, CVE-2014-0160
Can someone please let me know where pfSense and its OpenVPN is in terms of any vulnerability because of The Heartbleed Bug, CVE-2014-0160. Thanks -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
If you have a look at this page : http://heartbleed.com/ You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 So you are not vulnerable to this heart bleed bug ! Thanks. Le 8 avr. 2014 à 13:52, Pete Boyd petes-li...@thegoldenear.org a écrit : Can someone please let me know where pfSense and its OpenVPN is in terms of any vulnerability because of The Heartbleed Bug, CVE-2014-0160. Thanks -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 08/04/2014 12:59, b...@todoo.biz wrote: If you have a look at this page : http://heartbleed.com/ You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 So you are not vulnerable to this heart bleed bug ! For those of us who have held off upgrading just yet, and still run earlier versions of pfsense, are earlier versions vulnerable? -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 08/04/2014 12:59, b...@todoo.biz wrote: You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 So you are not vulnerable to this heart bleed bug ! But I see this: /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Le 8 avr. 2014 à 14:14, Pete Boyd petes-li...@thegoldenear.org a écrit : On 08/04/2014 12:59, b...@todoo.biz wrote: You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 So you are not vulnerable to this heart bleed bug ! But I see this: /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 Mmmh, this is true : on 2.1.1 in — /usr/local/bin/openssl : # OpenSSL 1.0.1f 6 Jan 2014 I don’t know exactly how this is used… we would need to wait for Chris confirmation on this. -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
W dniu 2014-04-08 13:59, b...@todoo.biz pisze: So you are not vulnerable to this heart bleed bug ! Regarding the web test provided at: http://filippo.io/Heartbleed/ All my pfSense firewalls (their HTTPS WEB GUI) are vulnerable... Cheers, Marek -- Marek Salwerowicz ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 4/8/2014 8:20 AM, b...@todoo.biz wrote: Mmmh, this is true : on 2.1.1 in — /usr/local/bin/openssl : # OpenSSL 1.0.1f 6 Jan 2014 I don’t know exactly how this is used… we would need to wait for Chris confirmation on this. Many of the ports and packages (e.g. OpenVPN) link against the newer version, and are impacted by this bug. If only they'd announced this a week ago... :P Not sure what the ETA is, but it shouldn't take much on our side to get things bumped, but we'll need to do more testing and such. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Thanks for the update Jim and for your and others' efforts in bringing us updated software. These things keep many of us in employment, but I expect you guys would have appreciated a little breather after releasing 2.1.1. -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 4/8/2014 8:48 AM, Pete Boyd wrote: Thanks for the update Jim and for your and others' efforts in bringing us updated software. These things keep many of us in employment, but I expect you guys would have appreciated a little breather after releasing 2.1.1. Actually with the release engineering process fresh in our heads/muscle memory and everything practically set to go, it's not exactly a horrible time for it to have happened, but not ideal. It would have been better before the release, surely, but it could be much worse. If our hand was forced later in the development cycle before other parts were ready, that would have been a much larger problem. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 4/8/2014 9:15 AM, Vick Khera wrote: On Tue, Apr 8, 2014 at 9:11 AM, Jim Pingle li...@pingle.org wrote: Actually with the release engineering process fresh in our heads/muscle memory and everything practically set to go, it's not exactly a horrible time for it to have happened, but not ideal. Would testing be faster/easier if you just disabled the heartbeat feature on the current open SSL version and recompiled? That effectively removes the vulnerability too. IMO, If we're recompiling anything at all we may as well update to a non-vulnerable version. No need for shortcuts. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 04/08/2014 03:34 PM, Jim Pingle wrote: On 4/8/2014 9:15 AM, Vick Khera wrote: On Tue, Apr 8, 2014 at 9:11 AM, Jim Pingle li...@pingle.org wrote: Actually with the release engineering process fresh in our heads/muscle memory and everything practically set to go, it's not exactly a horrible time for it to have happened, but not ideal. Would testing be faster/easier if you just disabled the heartbeat feature on the current open SSL version and recompiled? That effectively removes the vulnerability too. IMO, If we're recompiling anything at all we may as well update to a non-vulnerable version. No need for shortcuts. Jim oh man. this is a nightmare -- NSA is having a field day with this. how long has it been around? thanks m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Tue, Apr 8, 2014 at 9:50 AM, mayak ma...@australsat.com wrote: this is a nightmare -- NSA is having a field day with this. how long has it been around? http://heartbleed.com full FAQ for ya. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Le 8 avr. 2014 à 16:01, Vick Khera vi...@khera.org a écrit : On Tue, Apr 8, 2014 at 9:50 AM, mayak ma...@australsat.com wrote: this is a nightmare -- NSA is having a field day with this. how long has it been around? http://heartbleed.com full FAQ for ya. From my humble point of view : this is a huge opportunity for the pfSense® software team to be able to advertise Its capacity to mitigate such problem much faster than any other firewall manufacturer around. Imagine the headlines : « pfSense team patches the heartbleed bug within xx hours ». Good luck ! «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
snip i'm sure that they are on it -- this is the most catastrophic security flaw the internet may have ever witnessed. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
So what version of OpenSSL is running on 2.1.0? Sorry if this has been answered already. Thanks for your time. Paul Galati paulgal...@gmail.com On Apr 8, 2014, at 7:59 AM, b...@todoo.biz wrote: You would notice that this bug concerns OpenSSL : • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On 04/08/2014 06:05 PM, Paul Galati wrote: So what version of OpenSSL is running on 2.1.0? Sorry if this has been answered already. Thanks for your time. Paul Galati paulgal...@gmail.com mailto:paulgal...@gmail.com On Apr 8, 2014, at 7:59 AM, b...@todoo.biz mailto:b...@todoo.biz wrote: You would notice that this bug concerns OpenSSL : . OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable . OpenSSL 1.0.1g is NOT vulnerable . OpenSSL 1.0.0 branch is NOT vulnerable . OpenSSL 0.9.8 branch is NOT vulnerable If you are on the latest version of pfSense the version is : OpenSSL 0.9.8y 5 Feb 2013 2.10 and 2.1.1 are vulnerable source code tester here: https://github.com/titanous/heartbleeder binary tester here: http://gobuild.io/download/github.com/titanous/heartbleeder ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Le 8 avr. 2014 à 19:07, compdoc comp...@hotrodpc.com a écrit : So what version of OpenSSL is running on 2.1.0? Sorry if this has been answered already Type: openssl version This might not be enough as there are two versions of openssl installed… One in /usr/bin/openssl and one in /usr/local/bin/openssl Both should be ok. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Tue, 8 Apr 2014, b...@todoo.biz wrote: This might not be enough as there are two versions of openssl installed… One in /usr/bin/openssl and one in /usr/local/bin/openssl Both should be ok. Not on 2.1: [2.1-RELEASE]/root(9): /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 Worse, that's the version used by OpenVPN and lighttpd: [2.1-RELEASE]/root(8): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) [2.1-RELEASE]/root(14): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
there are two installed versions of openssl on the system. the base which is used by the stock freebsd software, such as the ssh server, and then the packaged version which all the additional software (http server, openvpn, ipsec/setkey) uses: # /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 # /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 This is what pfSense 2.1 reports. Basically, if the sofware is in /usr/local/bin or /usr/local/sbin, it is using the package version of openssl, which is in /usr/local/lib. On Tue, Apr 8, 2014 at 1:07 PM, compdoc comp...@hotrodpc.com wrote: So what version of OpenSSL is running on 2.1.0? Sorry if this has been answered already Type: openssl version ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Jim On Apr 8, 2014, at 1:49 PM, Paul Galati paulgal...@gmail.com wrote: Is this vulnerability tied to a secure web connection on the wan interface? If I do not have the web gui enabled on the wan interface and I am not using openVPN, what other services allow this point of entry possible? Thanks for your time. Paul Galati paulgal...@gmail.com On Apr 8, 2014, at 8:20 AM, Marek Salwerowicz marek_...@wp.pl wrote: Regarding the web test provided at: http://filippo.io/Heartbleed/ All my pfSense firewalls (their HTTPS WEB GUI) are vulnerable... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 12:34 PM, Paul Heinlein heinl...@madboa.com wrote: On Tue, 8 Apr 2014, b...@todoo.biz wrote: This might not be enough as there are two versions of openssl installed… One in /usr/bin/openssl and one in /usr/local/bin/openssl Both should be ok. Not on 2.1: [2.1-RELEASE]/root(9): /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 Worse, that's the version used by OpenVPN and lighttpd: Your use of “worse” here merely pours gasoline on an already burning fire. [2.1-RELEASE]/root(8): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) [2.1-RELEASE]/root(14): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) The situation is no different with pfSense version 2.1.1, even though the ports version of openssl is 1.0.1f. (1.0.1g is required to be clear of the Heartbleed issue.) [2.1.1-RELEASE][root@pfSense.localdomain]/root(3): /usr/local/bin/openssl version OpenSSL 1.0.1f 6 Jan 2014 [2.1.1-RELEASE][root@pfSense.localdomain]/root(4): /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 [2.1.1-RELEASE][root@pfSense.localdomain]/root(5): [2.1.1-RELEASE][root@pfSense.localdomain]/root(15): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: liblzo2.so.2 = /usr/local/lib/liblzo2.so.2 (0x8006ca000) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) libc.so.7 = /lib/libc.so.7 (0x800c22000) libthr.so.3 = /lib/libthr.so.3 (0x800e4f000) [2.1.1-RELEASE][root@pfSense.localdomain]/root(22): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libpcre.so.3 = /usr/local/lib/libpcre.so.3 (0x80067) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) libthr.so.3 = /lib/libthr.so.3 (0x800c0c000) libc.so.7 = /lib/libc.so.7 (0x800d25000) As previously mentioned, we’re working on a new release. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Hi, according to: http://www.kb.cert.org/vuls/id/BLUU-9HY33E only FreeBSD 10 is affected. There are binary updates for FreeBSD 10 available, just no advisory-text. No update for FreeBSD 9.1 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 3:39 PM, Rainer Duffner rai...@ultra-secure.de wrote: Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Hi, according to: http://www.kb.cert.org/vuls/id/BLUU-9HY33E only FreeBSD 10 is affected. There are binary updates for FreeBSD 10 available, just no advisory-text. No update for FreeBSD 9.1 pfSense 2.1 and 2.1.1 are affected. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 4:39 PM, Rainer Duffner rai...@ultra-secure.de wrote: Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Hi, according to: http://www.kb.cert.org/vuls/id/BLUU-9HY33E only FreeBSD 10 is affected. There are binary updates for FreeBSD 10 available, just no advisory-text. The advisory is now out (FreeBSD Security Advisory FreeBSD-SA-14:06.openssl). It includes this line: Affects:All supported versions of FreeBSD. I've already updated a bunch of FreeBSD 9.2-RELEASE-p3 and 10.0-RELEASE systems via freebsd-update. I'm updating my 9-STABLE and 10-STABLE systems now via a source update... Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimised. The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the Impact section: = III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] = I take that to read the vulnerability being exploitable both ways, i.e., a malicious server could also attack a vulnerable client connecting to it via SSL/TLS, making the attack surface potentially much larger. FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer appears to back this up. It included the following advice: = Users who use TLS client and/or server are strongly advised to apply updates immediately. Because of the nature of this issue, it's also recommended for system administrators to consider revoking all of server certificate, client certificate and keys that is used with these systems and invalidate active authentication credentials with a forced passphrase change. = Cheers, Paul.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimised. The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the Impact section: = III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] = I take that to read the vulnerability being exploitable both ways, i.e., a malicious server could also attack a vulnerable client connecting to it via SSL/TLS, making the attack surface potentially much larger. FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer appears to back this up. It included the following advice: = Users who use TLS client and/or server are strongly advised to apply updates immediately. Because of the nature of this issue, it's also recommended for system administrators to consider revoking all of server certificate, client certificate and keys that is used with these systems and invalidate active authentication credentials with a forced passphrase change. = Just as an followup and clarification to the above, the recent OpenSSL vulnerability Security Advisory actually covers two OpenSSL flaws. The heartbleed flaw only affects FreeBSD 10 in the base OS. All other supported FreeBSD releases are affected by the other flaw they describe (in the ECDSA Montgomery Ladder Approach implementation). I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Kudos to the pfSense team for beavering away and cranking out a fix! Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list