OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Audit reports vulnerabilities openssl in 17.7.7
« previous next »
  • Print
Pages: [1]

Author Topic: Audit reports vulnerabilities openssl in 17.7.7  (Read 4353 times)

ezhik

  • Newbie
  • *
  • Posts: 17
  • Karma: 0
    • View Profile
Audit reports vulnerabilities openssl in 17.7.7
« on: November 12, 2017, 12:56:44 am »
Running 17.7.7. Running audit reports openssl is vulnerable:

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
openssl-1.0.2l,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2017-3736
CVE: CVE-2017-3735
WWW: https://vuxml.FreeBSD.org/freebsd/f40f07aa-c00f-11e7-ac58-b499baebfeaf.html

1 problem(s) in the installed packages found.
***DONE***

Patched soon?
« Last Edit: November 12, 2017, 02:02:18 am by ezhik »
Logged

comet

  • Full Member
  • ***
  • Posts: 117
  • Karma: 4
    • View Profile
Re: Audit reports vulnerabilities openssl in 17.7.7
« Reply #1 on: November 12, 2017, 08:44:21 am »
I agree that it would be great if this could be updated fairly soon, but I am just wondering, does OPNsense actually by default expose anything that uses openssl to the WAN port?  I guess my thinking is that on a router/firewall, openssl would primarily be used for things like https access to the web GUI, or ssh access to a command line, both of which are by default normally only accessible from the LAN side.  I suppose if you are running a VPN server that is accessible from the Internet, that could possibly be an issue, but even then I am not sure how.  Guess my thinking is that unless you've got some malicious expert hackers on your LAN, this is probably nothing to panic about, but please feel free to enlighten me if I am wrong about that.

But still, I'm all for every bit of security you can get, so if these patches haven't made it into OPNsense already, I hope they do soon.
Logged
I'm a home user of OPNsense, not a networking expert.  I'd much appreciate it if you'd keep that in mind if replying to something I posted.  Many thanks!

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17660
  • Karma: 1611
    • View Profile
Re: Audit reports vulnerabilities openssl in 17.7.7
« Reply #2 on: November 12, 2017, 10:49:03 am »
The vulnerability tool is a tricky thing: each CVE has its own scope and potential impact.

So far FreeBSD has not issued a security advisory for this, and I also missed the OpenSSL announcement so this went very quietly, mostly because:

One affects amd64 architectures from Intel Broadwell and up, and is, according to the OpenSSL analysis almost impossible to exploit. The other one is a buffer out of bound read for one single byte. It was announced in August but not patched until November because all it could do was a faulty read of X.509 certificate data during display.

If you care about these two, switch to LibreSSL flavour. There is no operational difference except less patching in general.

We will do a larger update in the last two weeks of November, 17.7.7 has been reliable so far.


Cheers,
Franco
Logged

ezhik

  • Newbie
  • *
  • Posts: 17
  • Karma: 0
    • View Profile
Re: Audit reports vulnerabilities openssl in 17.7.7
« Reply #3 on: November 13, 2017, 12:14:23 am »
Thanks.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Audit reports vulnerabilities openssl in 17.7.7
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2