Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Brother4Life760 on December 10, 2021, 07:48:18 PM

Title: Security Issues
Post by: Brother4Life760 on December 10, 2021, 07:48:18 PM
Is the team aware of the 4 security bugs

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Fri Dec 10 10:47:31 PST 2021
vulnxml file up-to-date
nss-3.72 is vulnerable:
  NSS -- Memory corruption
  CVE: CVE-2021-43527
  WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html

ruby-2.7.4,1 is vulnerable:
  rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
  CVE: CVE-2021-41817
  WWW: https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html

  rubygem-cgi -- buffer overrun in CGI.escape_html
  CVE: CVE-2021-41816
  WWW: https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html

  rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
  CVE: CVE-2021-41819
  WWW: https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html

4 problem(s) in 2 installed package(s) found.
***DONE***
Title: Re: Security Issues
Post by: chemlud on December 10, 2021, 08:04:59 PM
https://forum.opnsense.org/index.php?topic=13572.msg62511#msg62511

https://forum.opnsense.org/index.php?topic=13571.msg62475#msg62475
Title: Re: Security Issues
Post by: Brother4Life760 on December 10, 2021, 08:39:58 PM
Doesn't answer my question in full tho these bugs have been there for two releases now
Title: Security Issues
Post by: Greelan on December 11, 2021, 11:18:34 PM
You need to relax a little

The latest OPNsense version was released on 25 November

The NSS issue was reported on 1 December - after the latest OPNsense version

The ruby issues were patched in FreeBSD on 24 November - likely too late in the build process for the latest OPNsense version to be included

It is probable they will be addressed in 21.7.7

As the links given by chemlud indicate, the security audit in OPNsense is just a service given to the user. Do you check and follow CVEs on all the operating systems you use and hassle developers about fixing them? Unlikely. At least OPNsense gives more visibility on stuff like this than probably every other system you use
Title: Re: Security Issues
Post by: franco on December 12, 2021, 02:11:21 PM
Yes, both ruby and nss will be updated with 21.7.7 next week. The relevant updates are already in the ports tree and can be rebuilt manually if necessary.


Cheers,
Franco
Title: Re: Security Issues
Post by: fabian on December 12, 2021, 08:15:25 PM
Also, the affected Ruby code is not used or not in a way it would be exploitable.

Ruby is only used as glue code between the OPNsense GUI or API and some backend processes running on OPNsense. For example as a client for the TOR management protocol.
Title: Re: Security Issues
Post by: Brother4Life760 on December 13, 2021, 06:44:38 PM
okay thanks dev. I use ruby so was just curious thanks for a update. Great to see the devs are active with there members.
Text only | Text with Images