Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openssl CVE-2021-3449 & CVE-2021-3450

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.2k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      apollo13
      last edited by

      Hi there,

      what are the plans for patches with regards to CVE-2021-3449. To the best of my knowledge running haproxy with TLS offloading will be affected on 2.5.0 due to OpenSSL 1.1.1i-freebsd 8 Dec 2020.

      Thanks,
      Florian

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        The updated version has already been incorporated into the RC snapshots for pfSense Plus 21.02.2 and pfSense CE 2.5.1.

        https://redmine.pfsense.org/issues/11755

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        A 1 Reply Last reply Reply Quote 3
        • A Offline
          apollo13 @jimp
          last edited by

          @jimp Thanks. May I ask how serious a vulnerability has to be that netgate will issue an immediate release? The current openssl issue apparently wasn't critical enough (?) so I am wondering what the bar is.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            We are already in the process of releasing pfSense Plus 21.02.2 and pfSense CE 2.5.1 for other reasons, and this will be included there. It will be out soon (days/weeks at most).

            I don't know that I'd consider a DoS like that CVE severe enough to warrant rushing it out faster than we'd already planned, but it's important enough that we included it in this coming release when otherwise we might not have updated a component at that level this far along in the process.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            A 1 Reply Last reply Reply Quote 3
            • A Offline
              apollo13 @jimp
              last edited by

              Mhm interesting; so assuming someone considers a DoS more severe (ie it is actually exploited at their site) -- how would one go ahead to fix this in their release now? Using RCs is not an option because for other issues, those might not exist yet.

              Are there any guidelines on how to handle those things? Does Netgate have something like https://access.redhat.com/security/ where security issues are listed and their impact (as well as planned solutions/workarounds) is evaluated?

              GertjanG 1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                There isn't a way to fix it on pfSense without waiting for an update.

                If it's critical, someone could move HAProxy to a different system (off the firewall) which has an updated OpenSSL.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @apollo13
                  last edited by Gertjan

                  @apollo13 said in openssl CVE-2021-3449 & CVE-2021-3450:

                  Does Netgate have something like https://access.redhat.com/security/

                  "redhat"= a 13k employees company - this probably includes the ones opening the front door.

                  Netgate / Rubicon Communications LLC : unknown on wiki.org ( ? ) so I guess a couple or a small dozen of persons, a coffee machine and a dog.

                  So, true, I didn't really 'fact check', but I tend to say "No". after a 60 seconds investigation.
                  pfSense is a project based on the FreeBSD kernel/OS. They they have a https://www.freebsd.org/security/ - up to pfSense to sync whenever they can.

                  Take note : I'm a user like you (with a browser and search engine), so the reality is probably different (Powels ©™).

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  A 1 Reply Last reply Reply Quote 0
                  • A Offline
                    apollo13 @Gertjan
                    last edited by

                    Hi @gertjan,

                    I mainly linked the redhat example because I did know how to describe such a thing in words. I am fully aware that Netgate doesn't have the manpower like redhat, but there could have been a list of fixed vulns or so that I am not aware of.

                    That said I think it is important for users to understand how Netgate handles security issues like this one and what the expectations can be. Currently it sounds (?) like the fix will come soonish because another release is already on the way. Whether that is acceptable for everyone or not is up for them to decide -- hence my question about possible workarounds and more insight into the security process.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      For FreeBSD issues (such as OpenSSL), you can refer to the FreeBSD site for info. They have a section on security and errata.

                      For pfSense issues, we publish security advisories for problems in pfSense code.

                      The release notes for each release generally have a listing of relevant security fixes from both contexts, though we don't always enumerate every FreeBSD SA fixed since there can be a lot of them and it's easy to check based on the version of FreeBSD in a given pfSense release.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      A 1 Reply Last reply Reply Quote 0
                      • A Offline
                        apollo13 @jimp
                        last edited by

                        @jimp Thank you, that is helpful.

                        Out of curiosity (I do not know enough about the pkg management in FreeBSD itself): Wouldn't there be a possibility to publish just a fixed openssl package that can be updated via pkg upgrade or similar? On a first glance this seems easier (especially if the patch is small and doesn't touch ABI) than issuing a full new pfSense release. Note that I am not suggesting to do that for every package, but maybe just for security issues that might be annoying enough for some people but still don't trigger a fast release… Or even if it is just a package file somewhere that has to be downloaded manually and installed (as far as I understood it is generally not possible to just take the freebsd packages, or am I wrong here).

                        Thank you for your patience and explanations -- I promise the above questions are the last ones on that topic :)

                        Cheers,
                        Florian

                        1 Reply Last reply Reply Quote 0
                        • jimpJ Offline
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          OpenSSL is a part of the base operating system and not a separate package, so it cannot be updated on its own.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.