Vulnerabilities from the WAN ?

[Spiky_Gladiator]

I have noticed that OPNSense is using OpenSSL components that I recently heard had major vulnerabilities discovered and advisories released. The default installation of OPNSense seems to have outdated OpenSSL component from July of this year. Therefore, I have a few questions:

• What is OpenSSL used for within OPNSense ?
• Does updating OPNSense also updates OpenSSL libraries ?

My main question here would be, does having outdated OpenSSL version would pose any security risks from the WAN side ? I'm not really sure what would be affected internally as well if OpenSSL is outdated as I'm new to OPNSense.

Can anyone please chim in and provide some insight here ?
Thanks

[JL]

Typically OpenSSL vulnerabilities are either or both client-server based. Most often it requires either side to be patched to at least mitigate a vulnerability.

When you ask if this could impact the WAN side, this is somewhat vague, it must be you have services listening on the WAN side. If there are not services listening on the WAN-side you are typically not vulnerable.

If by that question you mean there could be an attackers coming in over the wan after compromising an SSL/TLS connection from a client over the WAN to a service on the internet, then you could be vulnerable.

Note that ' a vulnerability ' is different from ' an exploitable vulnerability ', the conditions to exploit a vulnerability may be relax (a bad thing) or very strict (a good thing)

When it comes to OpenSSL, visit https://www.openssl.org/news/vulnerabilities.html and verify if you understand what version is installed because there may be specifics to the OS you're using. For example, RedHat backports patches to old version number by appending minor version indicators. Thus a low version may not be vulnerable because it was patched as if it were a 3.x version

The most recent OpenSSL vulnerabilities are typically not easy to exploit and require specific conditions to occur as they pivot on x509 certificates, specific parameters to be enabled. It is my distinct impression there is not a very high risk for typical scenario's.
The most prevalent risk is that of a Denial-of-Service, implying you'd be running for example an https enabled web service on WAN.

I hope this brings some clarity.

[Frostbite8289]

• What is OpenSSL used for within OPNSense ?
• Does updating OPNSense also updates OpenSSL libraries ?
• does having outdated OpenSSL version would pose any security risks from the WAN side ?

What has been said so far in the thread rung true to me.
OPNSense 22.7.10_2 has: OpenSSL 1.1.1s  1 Nov 2022. It does update libraries too. This is a supported release.
It can in theory but I don't see a current threat your mileage may vary. OPNSense seems to do a much better job at staying current than a lot of other products. The latest Openssl 3 can cause other compatibility issues.

[franco]

> What is OpenSSL used for within OPNSense ?

Most of the SSL duties? That's a broad question with a book of answers you are asking here...

> Does updating OPNSense also updates OpenSSL libraries ?

Yes. And keep in mind there are two libraries installed.

One is from the base system for operating system tools that require it. It is not updated in version number, but patched by FreeBSD security advisories as required.

/usr/bin/openssl version
OpenSSL 1.1.1o-freebsd  3 May 2022

The other one is installed by packages system in order to provide more timely and steady updates of it and is in turn used by all third party software tools installed (or to be installed through "pkg" utility).

/usr/local/bin/openssl version
OpenSSL 1.1.1s  1 Nov 2022

> The default installation of OPNSense seems to have outdated OpenSSL component from July of this year.

So how up to date is a prebuilt image from July in terms of software included? July perhaps? That's why you update after install if it's not July anymore. :)


Cheers,
Franco