More OpenSSL vulnerabilities
-
FYI…
http://www.openssl.org/news/secadv_20140605.txt
All 0.9.8, 1.0.0, and 1.0.1 versions are affected...
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.The MiTM attack requires both client and server to be affected (decryption of traffic).
The other important one is only affected if using DTLS which OpenVPN doesn't support from what I could dig up (code execution).
The others are DoS.EDIT: It looks like OpenVPN.net has updated the OpenVPN Windows client to use openssl 1.0.1.h with OpenVPN Windows Installer 2.3.4 I002.
-
Thanks Adam
-
Wonder if the pfSense team is working on a new release with openssl 1.0.1h version?
-
@Gio:
Wonder if the pfSense team is working on a new release with openssl 1.0.1h version?
They have, it's already released. Clearly the result of a code audit after Heartbleed.
-
@ingenieurmt:
@Gio:
Wonder if the pfSense team is working on a new release with openssl 1.0.1h version?
They have, it's already released. Clearly the result of a code audit after Heartbleed.
Really? It hasn't been announced or uploaded to any of the mirrors.
-
This is not the same vulnerability we're talking about here. 2.1.2 updated OpenSSL to 1.0.1g to fix heartbleed. This new vulnerability seems to necessitate a further update.
Steve
-
Sorry, misread the question. I thought it was asking if another OpenSSL release was coming.
Is the pfSense team working on a new build with the updated OpenSSL release? Almost certainly.
-
This one is not an easily exploitable bug like heartbleed. While it should be fixed, it does not require the kind of immediate response that heartbleed did.
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Here is a snippet from the security announcement we're still drafting:
OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake which
permits a Man-in-the-Middle attack leading to possible data disclosure by
enabling decryption of SSL traffic[2][3]. The attack requires several conditions
to be met, which drastically reduce its potential for exploitation. The required
criteria for exploitation are:- A vulnerable server, such as the pfSense GUI or OpenVPN server.
- A vulnerable client, such as a browser or OpenVPN client.
- A position of power between the client and server where packets may be
intercepted and inserted. (e.g. untrusted wifi hotspot)
Further reducing the potential for exploitation are the following mitigating
factors:- Most browsers are not vulnerable as they do not use OpenSSL (Chrome for Android
being a notable exception[4].) - OpenVPN is only vulnerable in SSL/TLS mode WITHOUT a TLS Authentication key.
In short: In the meantime, make sure your OpenVPN clients get updated (we already updated the export package with new Windows binaries, 2.3.4-I002) and it's not much of an issue. If your OpenVPN SSL/TLS servers already use a TLS auth key, you have little to worry about.
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Hi jimp,
I run an OpenVPN client from my pfsense box. In the meantime is it possible to update OpenSSL to 0.9.8za without adversely affecting the base system?
Cheers,
-
Previous advice immediately after Heartbleed broke was not to do that, there's a good chance you'll break something.
@cmb:Don't try to patch or upgrade OpenSSL, you'll more than likely just break things. Each PBI has its own copy, plus the base system.
Steve
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
I wouldn't hold my breath, the 2.0.x versions are marked as "deprecated" on the release information page. There was nothing done on them to fix the heartbleed vulnerability as far as I know.
-
No, there will not be a 2.0.x release, that line is no longer supported.
Don't replace the OpenSSL in base yourself.
-
@kpa:
There was nothing done on them to fix the heartbleed vulnerability as far as I know.
The 2.0.X versions were not vulnerable to Heartbleed, but they may be vulnerable to whole host of other things. ;)
Steve
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
"ETA mid next-week."?
-
"ETA mid next-week."?
Just asking as that was last week, in the meantime I still can't use OpenVPN because of the vuln.
-
Hit a couple snags but it's still coming soon.
You can use OpenVPN if you use a TLS auth key. Also if you update your clients, it's fine. Please read all of the text I quoted earlier in the thread.
