OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: ezhik on November 12, 2017, 12:56:44 am

Title: Audit reports vulnerabilities openssl in 17.7.7
Post by: ezhik on November 12, 2017, 12:56:44 am

Running 17.7.7. Running audit reports openssl is vulnerable:

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
openssl-1.0.2l,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2017-3736
CVE: CVE-2017-3735
WWW: https://vuxml.FreeBSD.org/freebsd/f40f07aa-c00f-11e7-ac58-b499baebfeaf.html

1 problem(s) in the installed packages found.
***DONE***

Patched soon?

Title: Re: Audit reports vulnerabilities openssl in 17.7.7
Post by: comet on November 12, 2017, 08:44:21 am

I agree that it would be great if this could be updated fairly soon, but I am just wondering, does OPNsense actually by default expose anything that uses openssl to the WAN port?  I guess my thinking is that on a router/firewall, openssl would primarily be used for things like https access to the web GUI, or ssh access to a command line, both of which are by default normally only accessible from the LAN side.  I suppose if you are running a VPN server that is accessible from the Internet, that could possibly be an issue, but even then I am not sure how.  Guess my thinking is that unless you've got some malicious expert hackers on your LAN, this is probably nothing to panic about, but please feel free to enlighten me if I am wrong about that.

But still, I'm all for every bit of security you can get, so if these patches haven't made it into OPNsense already, I hope they do soon.

Title: Re: Audit reports vulnerabilities openssl in 17.7.7
Post by: franco on November 12, 2017, 10:49:03 am

The vulnerability tool is a tricky thing: each CVE has its own scope and potential impact.

So far FreeBSD has not issued a security advisory for this, and I also missed the OpenSSL announcement so this went very quietly, mostly because:

One affects amd64 architectures from Intel Broadwell and up, and is, according to the OpenSSL analysis almost impossible to exploit. The other one is a buffer out of bound read for one single byte. It was announced in August but not patched until November because all it could do was a faulty read of X.509 certificate data during display.

If you care about these two, switch to LibreSSL flavour. There is no operational difference except less patching in general.

We will do a larger update in the last two weeks of November, 17.7.7 has been reliable so far.


Cheers,
Franco

Title: Re: Audit reports vulnerabilities openssl in 17.7.7
Post by: ezhik on November 13, 2017, 12:14:23 am

Thanks.