openssl CVE-2021-3449 & CVE-2021-3450

apollo13

Hi there,

what are the plans for patches with regards to CVE-2021-3449. To the best of my knowledge running haproxy with TLS offloading will be affected on 2.5.0 due to OpenSSL 1.1.1i-freebsd 8 Dec 2020.

Thanks,
Florian

jimp

The updated version has already been incorporated into the RC snapshots for pfSense Plus 21.02.2 and pfSense CE 2.5.1.

https://redmine.pfsense.org/issues/11755

apollo13

@jimp Thanks. May I ask how serious a vulnerability has to be that netgate will issue an immediate release? The current openssl issue apparently wasn't critical enough (?) so I am wondering what the bar is.

jimp

We are already in the process of releasing pfSense Plus 21.02.2 and pfSense CE 2.5.1 for other reasons, and this will be included there. It will be out soon (days/weeks at most).

I don't know that I'd consider a DoS like that CVE severe enough to warrant rushing it out faster than we'd already planned, but it's important enough that we included it in this coming release when otherwise we might not have updated a component at that level this far along in the process.

apollo13

Mhm interesting; so assuming someone considers a DoS more severe (ie it is actually exploited at their site) -- how would one go ahead to fix this in their release now? Using RCs is not an option because for other issues, those might not exist yet.

Are there any guidelines on how to handle those things? Does Netgate have something like https://access.redhat.com/security/ where security issues are listed and their impact (as well as planned solutions/workarounds) is evaluated?

jimp

There isn't a way to fix it on pfSense without waiting for an update.

If it's critical, someone could move HAProxy to a different system (off the firewall) which has an updated OpenSSL.

Gertjan

@apollo13 said in openssl CVE-2021-3449 & CVE-2021-3450:

Does Netgate have something like https://access.redhat.com/security/

"redhat"= a 13k employees company - this probably includes the ones opening the front door.

Netgate / Rubicon Communications LLC : unknown on wiki.org ( ? ) so I guess a couple or a small dozen of persons, a coffee machine and a dog.

So, true, I didn't really 'fact check', but I tend to say "No". after a 60 seconds investigation.
pfSense is a project based on the FreeBSD kernel/OS. They they have a https://www.freebsd.org/security/ - up to pfSense to sync whenever they can.

Take note : I'm a user like you (with a browser and search engine), so the reality is probably different (Powels ).

apollo13

Hi @gertjan,

I mainly linked the redhat example because I did know how to describe such a thing in words. I am fully aware that Netgate doesn't have the manpower like redhat, but there could have been a list of fixed vulns or so that I am not aware of.

That said I think it is important for users to understand how Netgate handles security issues like this one and what the expectations can be. Currently it sounds (?) like the fix will come soonish because another release is already on the way. Whether that is acceptable for everyone or not is up for them to decide -- hence my question about possible workarounds and more insight into the security process.

jimp

For FreeBSD issues (such as OpenSSL), you can refer to the FreeBSD site for info. They have a section on security and errata.

For pfSense issues, we publish security advisories for problems in pfSense code.

The release notes for each release generally have a listing of relevant security fixes from both contexts, though we don't always enumerate every FreeBSD SA fixed since there can be a lot of them and it's easy to check based on the version of FreeBSD in a given pfSense release.

apollo13

@jimp Thank you, that is helpful.

Out of curiosity (I do not know enough about the pkg management in FreeBSD itself): Wouldn't there be a possibility to publish just a fixed openssl package that can be updated via pkg upgrade or similar? On a first glance this seems easier (especially if the patch is small and doesn't touch ABI) than issuing a full new pfSense release. Note that I am not suggesting to do that for every package, but maybe just for security issues that might be annoying enough for some people but still don't trigger a fast release… Or even if it is just a package file somewhere that has to be downloaded manually and installed (as far as I understood it is generally not possible to just take the freebsd packages, or am I wrong here).

Thank you for your patience and explanations -- I promise the above questions are the last ones on that topic :)

Cheers,
Florian

jimp

OpenSSL is a part of the base operating system and not a separate package, so it cannot be updated on its own.