News: This forum is now permanently frozen.
Pages: [1]
Topic: OpenSSL 1.0.1[a-f]--is M0N0wall 1.8.1-RELEASE vulnerable?  (Read 1575 times)
« on: April 10, 2014, 03:42:02 »
storkus *
Posts: 9

I've looked around the forums and I don't see anything listed anywhere.  pfSense 2.1.1 is listed as having both 0.9.8g (not vulnerable) and 1.0.1e (vulnerable)--why two different versions in one distro was not explained.  Since my firewall is physically buried at the moment, I can't go to the command line and look to see what's present, so I'll just ask: what is 1.8.1-release running?  And if it is a vulnerable version, when will a patch/upgrade release be done?

Thanks, Mike
« Reply #1 on: April 10, 2014, 06:21:47 »
azdps **
Posts: 63

Mike, looks like there is a website you can visit to test if your vulnerable. Try this:
« Reply #2 on: April 10, 2014, 15:28:53 »
Fred Grayson *****
Posts: 994

You can not test m0n0wall this way unless it is configured to have its GUI accessible from the WAN which not the default configuration.

Google is your friend and Bob's your uncle.
« Reply #3 on: April 10, 2014, 15:53:57 »
brushedmoss ****
Posts: 446

m0n0wall is built against  OpenSSL 0.9.8
« Reply #4 on: April 10, 2014, 18:43:42 »
azdps **
Posts: 63

Looks like 1.8.1 is not vulnerable then.

What versions of the OpenSSL are affected?

Status of different versions:

  •     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
        OpenSSL 1.0.1g is NOT vulnerable
        OpenSSL 1.0.0 branch is NOT vulnerable
        OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
« Reply #5 on: April 11, 2014, 06:05:03 »
storkus *
Posts: 9

Thank you guys so much for the help.  Of course the GUI isn't accessible from the WAN, but I was thinking something else that might be using OpenSSL might be vulnerable like VPN, NTP, etc.  In any case, this makes me feel better even if it isn't being used for anything at the moment. Smiley
Pages: [1]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines