Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSSL vulnerabiltiy: pfSense affected?

    Scheduled Pinned Locked Moved General pfSense Questions
    opensslsecurityvulnerability
    3 Posts 3 Posters 864 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stepinsky
      last edited by

      Is pfSense still using OpenSSL? If yes, are we affected by the latest OpenSLL security bug? I cannot judge the relavance of the vulnerability for pfSense users.

      T johnpozJ 2 Replies Last reply Reply Quote 0
      • T
        tohil @Stepinsky
        last edited by

        @stepinsky
        pfSense 2.5.2 is using openssl version 1.1.1k-freebsd which is affected by this issue.

        https://www.openssl.org/news/secadv/20210824.txt

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Stepinsky
          last edited by johnpoz

          @stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:

          I cannot judge the relavance of the vulnerability for pfSense users.

          That is the big question for sure.. The analysis is still underway at nist

          https://nvd.nist.gov/vuln/detail/CVE-2021-3712
          This vulnerability is currently awaiting analysis.

          The key really being
          "If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."

          Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
          https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc

          So when netgate/pfsense feels its prudent sure they will make it available.

          edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.

          Here is the article if interested
          https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.