OpenSSL vulnerabiltiy: pfSense affected?
-
Is pfSense still using OpenSSL? If yes, are we affected by the latest OpenSLL security bug? I cannot judge the relavance of the vulnerability for pfSense users.
-
@stepinsky
pfSense 2.5.2 is using openssl version 1.1.1k-freebsd which is affected by this issue.https://www.openssl.org/news/secadv/20210824.txt
-
@stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:
I cannot judge the relavance of the vulnerability for pfSense users.
That is the big question for sure.. The analysis is still underway at nist
https://nvd.nist.gov/vuln/detail/CVE-2021-3712
This vulnerability is currently awaiting analysis.The key really being
"If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.ascSo when netgate/pfsense feels its prudent sure they will make it available.
edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.
Here is the article if interested
https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/
