Where to address Heartbeat issue (openssl)
-
Hi
I'm not sure if this really is an issue to solve by pfsense so please forgive me if I'm wrong :-)
I have the nanonbsd pfsense 4GB image for amd64 with serial output. Latest version 2.1.1
The problem is that the openssl used in that image is vulnerable for the Heartbeat (Heartbleed) attack on openssl. Although openssl is in version 0.9.8y I can get 64K of the servers RAM. When I "fetch" the block short after login as admin via the webinterface I can even get the admins password in the response!
The timeframe for getting the password is quite small but the other request headers, which contain for example session id or cookies, appear almost every timeSo my main question is to whom to address the issue to. Is it pfsense or nanobsd?
-
2.1.2 release is now available to address that.
-
Besides the usefulness of that post and the joy of celebrating 2.1.2 release (awesome work), why is that post in the german sub-section? ;)
-
Besides the usefulness of that post and the joy of celebrating 2.1.2 release (awesome work), why is that post in the german sub-section? ;)
very good question :-) I just saw it after posting. I'm german speaking but wanted to post in the english part. No idea why I have not seen it before.
@pfsense Team
thanks a lot for that quick fix. Will try it and test againCheers
tobi
-
I just finished the update and it works (or not depending on the point of view ;) )
Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 2331 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerableas it should be
Again thanks for the fast fix and happy 2.1.2
tobi