OpenSSL v1.0.1f - Hearthbleed Bug

th3r3isnospoon · Apr 7, 2014, 10:28 PM

Hello everyone,

I hope this is the correct section for this post (if not, please move, thank you!)

I just saw news about a new, serious bug in OpenSSL which affects all versions lower than 1.0.1f.

Here is a link explaining the problem: http://heartbleed.com/

Here is a link from oss-sec with a fix: http://seclists.org/oss-sec/2014/q2/22

I believe pfSense 2.1.1 uses OpenSSL 1.0.1f. Is this something we should be worried about? If so, are there ways to mitigate this issue? Are there any plans to upgrade OpenSSL to 1.0.1g?

Thank you,

-th3r3isnospoon

Frazze · Apr 7, 2014, 11:53 PM

This needs to get patched ASAP!!!

drees · Apr 8, 2014, 4:46 AM

pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

Edit: pfSense 2.1 and 2.1.1 also ship with OpenSSL 1.0.1 which is vulnerable.

th3r3isnospoon · Apr 8, 2014, 2:39 AM

@drees:

pfSense 2.1.1 ships with OpenSSL 0.9.8 which is not vulnerable and neither are earlier versions of pfSense, either.

I can't find the thread where jimp was saying that 2.1.1 is running 1.0.1f (I did read it earlier today before I posted this thread), but, the thread I did find shows that 2.1 is running 1.0.1e.
https://forum.pfsense.org/index.php?topic=68555.0

However, when I SSH into my FW, it does show this:

#openssl version
#OpenSSL 0.9.8y 5 Feb 2013

Looks like there are two versions of OpenSSL included with pfSense. Maybe the vulnerable version is used by OpenVPN? And the older, stable version is used by racoon for IPSEC tunnels?

which openssl

#/usr/local/bin/openssl version
#OpenSSL 1.0.1f 6 Jan 2014

Thanks,

-th3r3isnospoon

magnawave · Apr 8, 2014, 4:15 AM

If you look what lighthttp and openvpn are linked against, I think its safe to say pfsense is definitely vulnerable. Due to the messed up way this was released(major boo to the openSSL team for their hamhanded approach), quite a few vendors don't have fixes out yet. But I hope the pfsense fix comes soon. :-))

Remember, if you are running a prod site(with ANY SSL exposed to the Internet) and you get the openSSL fix - you need new certs too AFTER you patch or you are possibly vulnerable to someone who already nabbed your private key. There is no proof there is an exploit out there that does this - but assume there is!

drees · Apr 8, 2014, 4:45 AM

Yep, you are right. This thread should be merged with this one which covers the same topic:

Patching/Upgrading OpenSSL

doktornotor · Apr 8, 2014, 9:43 AM

https://redmine.pfsense.org/issues/3585

Major PITA, beyond updating openssl, you should treat all private keys as completely compromised. ::) >:(

raclure · Apr 8, 2014, 11:39 AM

Just for info , the website itself seems to be vulnerable:

http://filippo.io/Heartbleed/#pfsense.org

Cry Havok · Apr 8, 2014, 1:19 PM

Duplicate of https://forum.pfsense.org/index.php?topic=74796