Patching/Upgrading OpenSSL

jimp · Apr 9, 2014, 6:37 PM

I have always disabled the WebGUI to the outside world. I have on occasion specified one or 2 IP's that can access it if I knew I was going to be working on it from that location for a while. I.E. When working the firewall located at my house while at work I would allow just that one IP. Otherwise I use OpenVPN to access it.

Isn't this firewall security 101?

Yep. Looks like you get an A.

A Former User · Apr 9, 2014, 6:42 PM

2 quick questions.

I'm still on 2.0.3, can I go directly to 2.1.2 once it's out ?
Was 2.0.3 even vulnerable ?

jimp · Apr 9, 2014, 6:43 PM

@Satras:

I'm still on 2.0.3, can I go directly to 2.1.2 once it's out ?

Yes.

@Satras:

Was 2.0.3 even vulnerable ?

No. Only if you used the Unbound package.

ingmthompson · Apr 9, 2014, 6:46 PM

@dgcom:

As far as WebUI - I suggest everyone makes their own risk analysis. Information is out there to make a proper judgement and having WebUI open is not that bad as you try to describe (when TLS is not broken, of course and IP restrictions are in place).

I tend to agree with this. I'm using it in a home environment, not a corporate production network. Sometimes things break when I'm not there, and given that I'm the only person who knows anything about IT in the house it falls to me to fix it (often quickly due to some perceived life-or-death situation that really isn't as important as it's made out to be, ah the joys of family).

Risk assessment = minimal, as far as I'm concerned. There are plenty more interesting networks out there to play around in than mine.

stephenw10 · Apr 9, 2014, 7:07 PM

It's not really a question of your network being uninteresting. It's far more likely to be some bot that grabs your login details and turns your router into a spam relay. The bot doesn't care how interesting your network is.
Like any risk assessment you have to consider both the chances of something happening and the consequences. If the potential consequence is that your firewall is compromised leading to your internal machines being compromised requiring complete re-install of everything - is that a risk worth taking?

Steve

dgcom · Apr 9, 2014, 7:10 PM

@stephenw10:

It's not really a question of your network being uninteresting. It's far more likely to be some bot that grabs your login details and turns your router into a spam relay.

And you would be amazed how often this happens via SSH with weak root password!

keychain · Apr 9, 2014, 7:23 PM

Weak Passwords and root? Authorized_keys only, AllowUsers, Port only open to specific IP or Range.. Those who use root-access with weak passwords won't start updating now, so this will always be a lost cause.

dgcom · Apr 9, 2014, 7:29 PM

@keychain:

Weak Passwords and root? Authorized_keys only, AllowUsers, Port only open to specific IP or Range.. Those who use root-access with weak passwords won't start updating now, so this will always be a lost cause.

And that is my point - it is not the protocol, which is "bad", it is how it is being used.

joako · Apr 9, 2014, 7:31 PM

@fragged:

Use VPN

OpenVPN is vulnerable too.

jimp · Apr 9, 2014, 7:43 PM

@joako:

@fragged:

Use VPN

OpenVPN is vulnerable too.

Only if used in SSL/TLS mode without a TLS authentication key. The way the wizard sets it up for a simple RA VPN for management use it would not be vulnerable.

ingmthompson · Apr 9, 2014, 7:57 PM

@stephenw10:

It's not really a question of your network being uninteresting. It's far more likely to be some bot that grabs your login details and turns your router into a spam relay. The bot doesn't care how interesting your network is.

I grant you, this is possible. That said, there have to be hundreds of thousands of other home networks just on my ISP alone, notwithstanding the dozen or so other ISPs in this country. Any one of them would make a perfectly tempting target for such a bot (even more so given the fact that most home routers are virtually never updated). I'd also like to take this opportunity to point out that there's only so much that one can do with 2Mbps upstream.

Like any risk assessment you have to consider both the chances of something happening and the consequences. If the potential consequence is that your firewall is compromised leading to your internal machines being compromised requiring complete re-install of everything - is that a risk worth taking?

For that, someone would have to not only get through the firewall but through the internal machines too, which are not exactly unprotected themselves.

All said, you've made your case, and while I stand by my original point that my network is simply not interesting enough to warrant targeting, I'm going to take a look at the feasibility of setting up a basic VPN solution in pfSense to handle remote support requirements.

A Former User · Apr 9, 2014, 8:02 PM

@ingenieurmt:

my network is simply not interesting enough to warrant targeting,

No Offend, but this Attitude makes you a prime Target. People believeing they are save cause they are not interresting enough.

jimp · Apr 9, 2014, 8:25 PM

Everyone is interesting to an indiscriminate bot scanning for hosts to exploit.

pvoigt · Apr 9, 2014, 8:28 PM

@jimp:

@joako:

@fragged:

Use VPN

OpenVPN is vulnerable too.

Only if used in SSL/TLS mode without a TLS authentication key. The way the wizard sets it up for a simple RA VPN for management use it would not be vulnerable.

Yeah, that's good news. When I have once manually set up my OpenVPN server without the wizard I did not exactly understand what this setting would achieve but considered it safe. I have just found your statement confirmed in the OpenVPN community:

https://community.openvpn.net/openvpn/wiki/heartbleed

Peter

fatsailor · Apr 9, 2014, 8:39 PM

So there are two versions of openssl in pfsense:

/usr/bin/openssl - OpenSSL 0.9.8y 5 Feb 2013 which is the base system openssl

and

/usr/local/bin/openssl - OpenSSL 1.0.1e 11 Feb 2013 which presumably was installed via the ports system to get a more recent version because of dependencies

A simple freebsd-update fetch; freebsd-update install will take care of the first version of openssl.

The second version (/usr/local/bin/openssl) will need to be compiled on a 8.3-p11 system via ports to get 1.0.1g. openvpn 2.3.2 needs to be rebuilt from ports along with lighttpd 1.4.32. Move all of this over then while in single user mode.

Not terribly difficult, but time consuming - but doable if you need a fix ASAP.

NOTE: There may be other dependencies on openssl that I've missed. lighttpd and openvpn are the obvious ones.

jimp · Apr 9, 2014, 8:46 PM

freebsd-update won't work on pfSense, and would break things if it did. At least for now. Might change in the future.

OpenVPN and lighttpd don't need rebuilt, they are not statically linked to OpenSSL.

Just wait for a firmware update, it'll be coming soon.

ingmthompson · Apr 9, 2014, 8:51 PM

@Satras:

@ingenieurmt:

my network is simply not interesting enough to warrant targeting,

No Offend, but this Attitude makes you a prime Target. People believeing they are save cause they are not interresting enough.

I'd prefer to keep my own counsel on what my attitude may or may not constitute, if you don't mind.

keychain · Apr 9, 2014, 8:54 PM

hm.. should I stay up for an hour more or two?

doktornotor · Apr 9, 2014, 8:57 PM

BBcan177 · Apr 9, 2014, 9:14 PM

Snort has released some rules to help detect this vulnerability. If they work?

Just an FYI

http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html