Heartbleed vulnerability

Status
Not open for further replies.

scurrier

Patron
Joined
Jan 2, 2014
Messages
297
Can anyone comment on the scope of the damage that the heartbleed vulnerability has inflicted on FreeNAS? What services does it affect? What is still safe? Obviously it is related to the SSL/TLS implementation, but I am not up on what all is covered under this.

If there are still patches to be applied, when could they reasonably be expected to happen?

The reason why I ask is because I'll be setting up a remote rsync backup in the next week or so and I want to be protected.

Thanks!
 

alexg

Contributor
Joined
Nov 29, 2013
Messages
197
Looks like 9.2.1.3 uses openssl 0.9.8y which does not have vulnerability. BTW, there is no impact on SSH.
 

Satam

Dabbler
Joined
Jan 23, 2014
Messages
40
FreeBSD 10 is (was?) affected by the bug. FreeBSD 9 still uses OpenSSL 0.9.8. So since FreeNAS 10 isn't out yet, and in FreeBSD 10 they must have updated OpenSSL by now, FreeNAS is not and will not be affected.

BUT, it won't hurt to change your FreeNAS passwords, too, since you are already busy changing ALL of your passwords right now anyway, aren't you? You are, aren't you? Aren't you?o_O


BTW, there is no impact on SSH.
Oh yeah? Someone strongly disagrees with FreeBSD's bug disclosure policies and knows of something...

http://thread.gmane.org/gmane.os.openbsd.tech/35722/focus=35731

:rolleyes:

PS: Now, that I think of it. We might not be out of trouble just yet as most of you probably are using a server mainboard which is nowadays basically two computers in one, the x64 system that is running the host OS and a managing computer in form of an ARM SoC. What version of OpenSSL is running on that BMC is a good question. IPMI already being a security nightmare by design becomes even more scary now. You better login to its console and try to figure it out.
 

scurrier

Patron
Joined
Jan 2, 2014
Messages
297
Wondering if the OpenVPN that is included with FreeNAS is affected. Not sure if it bundles OpenSSL. Or does it just use the FreeNAS-included OpenSSL that you've already said was fixed?
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
We have 2 threads on this. FreeNAS 8.0.0-alpha all the way up through all current versions have not and never been susceptiple to the heartbleed vulnerability.
 

scurrier

Patron
Joined
Jan 2, 2014
Messages
297
We have 2 threads on this. FreeNAS 8.0.0-alpha all the way up through all current versions have not and never been susceptiple to the heartbleed vulnerability.

So is OpenSSL bundled with OpenVPN or not? Are you sure that the OpenSSL version that OpenVPN is using in FreeNAS (bundled or not) is an unaffected version? How are you sure?

It would be nice to have an official statement from FreeNAS lead developers on this.

Background reading:
OpenVPN is confirmed vulnerable depending on version. Not just the obvious theoretical attack, but in practice an attack has been proven to release private keys.
https://community.openvpn.net/openvpn/wiki/heartbleed
http://arstechnica.com/security/201...rtbleed-bug-exposes-openvpn-private-keys-too/
 

SmallGuy

Guru
Joined
Jun 7, 2013
Messages
560
Code:
[root@FreeNAS] ~# ssh -v
OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
First, OpenVPN is used in a jail. FreeNAS doesnt "use" any version of OpenVPN. That means iXsystems has no control over what version you run in said jail. The administrator of your jail should be the one to direct questions to.

Second, if you run OpenVPN outside of the jail somehow, that's not sanctioned by iXsystems and never has been. So again, they are NOT liable to research the problem or tell you if you are vulnerable. They have never supported or condoned the use of OpenVPN on FreeNAS itself. Us mods mention this in almost every single thread where people talk about OpenVPN. Security devices should never be mixed with other devices(such as storage servers).

Third, the developers are never in the forums. You're welcome to ask in IRC if you really want to know, and they may or may not answer you. Note that they've already discussed this many times in IRC, so they may not respond again to the same question. I relayed this information, but you've deemed my relaying of the message to not be sufficient enough for whatever reason.

Edit: And to be honest, if you are *that* concerned about it, the FreeNAS source is available. Anyone that is truely concerned should be doing the verification themselves instead of relying on someone else to make that determination. People make mistakes. The whole problem with Heartbleed is that *everyone* thought that *someone else* was responsible for ensure that kind of mistake doesn't happen.

Trust but verify has always been the motto of good security practices.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
But the heartbleed vulnerability doesn't apply to FreeNAS at all. The version of OpenSSL used in FreeNAS is not one that has been vulnerable to heartbleed. Or do you have evidence to the contrary? My source is the devs in IRC when this whole heartbleed thing happened. ;)
 

SmallGuy

Guru
Joined
Jun 7, 2013
Messages
560
The OpenSSL versions impacted are listed in the NVD link I provide above.
I have also read this yesterday : https://bugs.freenas.org/issues/5167, so I'm confident FreeNAS past and the next releases aren't impacted by Heartbleed vulnerability.
Regarding the bug report, It looks like the Devs are concerned with Freenas vulnerabilities.
 

matto

FreeBSD Advocate
iXsystems
Joined
Sep 4, 2012
Messages
46
The ticket referenced above applied to further vulnerabilities found in OpenSSL other than Heartbleed. There is no known exploits for them in the wild yet but it has already been resolved.
 
Status
Not open for further replies.
Top