Bug #7632
closed
CVE-2016-2107 in OpenSSL
0%
Description
pfSense 2.3.4 uses OpenSSL 1.0.1s which is vulnerable to CVE-2016-2107 Oracle Padding attack. HAProxy TLS termination for front ends uses this and so makes services dependent on it vulnerable.
Updated by Jim Pingle almost 7 years ago
- Status changed from New to Rejected
FreeBSD patches OpenSSL in its own way, relying on the version number is not accurate to determine vulnerabilities.
Search for that CVE on FreeBSD and you'll find this:
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc
Corrected:
2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
Now look at the FreeBSD versions used by various pfSense releases:
https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD
2.3.1 [...] 10.3-RELEASE-p3
And since -p3 is greater than -p2, that CVE has been fixed since pfSense 2.3.1 over a year ago.
Updated by Adrian James almost 7 years ago
We have 2.3.4 in use, hosting a website with HAProxy TLS offload. SSLLabs confirms that it is vulnerable to Oracle Padding when tested. When I do 'openssl version' in pfSense it reports 1.0.1s which OpenSSL says is vulnerable and suggest upgrading to 1.0.1t to fix.
From what I can tell 2.3.5 and 2.4 both come with updated OpenSSL packages which will fix the issue.
The issue was reintroduced into OpenSSL in April when another bug was patched (CVE-2013-0169).
Updated by Adrian James almost 7 years ago
Sorry, I follow what you are saying now!
The SSLLabs test still says that we are vulnerable when we test the site. Does HAproxy use it's own OpenSSL package or the system one?
Updated by Jim Pingle almost 7 years ago
Are you certain that your pfSense installation is current? We ran that same test against a 2.3.4 system with HAProxy and ssllabs said it was not vulnerable.
Perhaps the test was hitting some other host or was not using SSL offloading so it was really testing the backend server?
At this point you are better off starting a thread on the forum in the cache/proxy board to discuss the problem.