-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_04.openssl Security Advisory pfSense Topic: OpenSSL "Heartbleed" Information Disclosure, ECDSA Category: pfSense Base System and Packages Module: openssl Announced: 2014-04-08 Credits: Neel Mehta of Google Security Adam Langley Bodo Moeller http://heartbleed.com/ Affects: pfSense >= 2.1, <= 2.1.1 Corrected: 2014-04-08 14:40:00 UTC (Base system) 2014-04-09 22:10:29 UTC (Packages) CVE Name: CVE-2014-0160 (Heartbleed) CVE-2014-0076 (ECDSA Flaw) FreeBSD SA: FreeBSD-SA-14:06.openssl 0. Revision History v1.0 2014-04-08 Initial release. v1.1 2014-04-09 Added information from FreeBSD SA and about ECDSA flaw Added information about the OpenVPN Client Export package I. Background pfSense is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and many times more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is absolutely not necessary. Unlike some similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. In fact, the majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls. - From the FreeBSD SA [5]: The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography. OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication in a fixed amount of time, which does not leak any information through timing or power. II. Problem Description - From the CVE Overview [1]: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c. [CVE-2014-0160] - From OpenSSL [2]: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. [CVE-2014-0160] - From the FreeBSD SA [5]: A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information. [CVE-2014-0076] III. Impact Keys and other data may be exposed to attackers with access to the traffic stream. [CVE-2014-0160] OpenVPN is only impacted if TLS Authentication Keys are NOT in use, so long as the attacker does not also have your TLS key(s) [3]. - From the CERT advisory [4]: By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL. [CVE-2014-0160] - From the FreeBSD SA [5]: A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] NOTE: ECDSA is not an option in pfSense at this time, but some users may have imported certificates generated outside of pfSense which use ECDSA. IV. Workaround No valid workaround exists. Firmware and package updates are required. The threat can be somewhat mitigated by limiting access to the web interface to only trusted interfaces, not using add-on packages to offer SSL-enabled public services, and by using TLS keys in combination with SSL-based OpenVPN connections. If external certifites have been imported utilizing ECDSA, update to a non-vulnerable firmware or replace the certificates with ones that do not use ECDSA. V. Solution Perform the following: 1) Upgrade to pfSense 2.1.2 upon its release. This can be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide 2) Ensure that all packages are up-to-date after the upgrade. pfSense uses PBI style packages which include their own copy of the libraries they require. Such packages must be updated independently to ensure that no vulnerable libraries are still in use. 3) Create new Certificate Authorities and Certificates to replace ones which may have been compromised. 4) Ensure that remote VPN clients outside of the firewall which may also be vulnerable are updated using new installer packages containing a non-vulnerable OpenSSL library. VI. Correction details The OpenSSL library was updated to 1.0.1g. Firmware images and packages were rebuilt using the updated library. The OpenVPN Client Export package was updated with current OpenVPN Windows installers using version 2.3.3-I001 which include OpenSSL 1.0.1g. VII. References 1: 2: 3: 4: 5: The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTYk/GAAoJEBO5h/2SFPjadRsQALZer0s7atfn8CmDNFRy5mB5 wFGMIrupUFJjrJh+Ot9v5R9DgSKaagi/k1FAThubAtz/2zR9KvYAA0YNXfr03lXz 8bnaR0njIa97k6S9jg7ZrUkVjzCwd/+hD1z8v9Hk52uX/iTVup4fOddIquiPGL4D E61Lm/bM1ZKQqrcXjAsDbE2AuStO/h9brN4Bp5jY+nxnwic6yDaMHZqTNs40vnrW YynWoSrI+NonTKSVEqFfTrddnpfVXYoqOcqW1RoHpkYNxbAOVEbQ8Q0otkc5YyoJ FjeRUhmBzBlvg4m3SYNUdqFIWng3ZK4BPbQwFDzMjfJuJqeEKbS1plBBfyMfcAry yEh76jI9nKgEVCuH4uTueZTld/vVJHlXmtyzp6/848zDPBsnMOoPR7ZPq3DvBxWz FvZG/w3NZgsVSaKINLFXVrxZ/Z325AWBEMLVS0e9G9vcrTARw71/GFi2JipO7uHm 1iFQgm4mTQqOiTH+NaMGlastfEVQm4IsOl0Meb4tpB8jFb503mHo1Tf4ENAL0tRK fCt1FCrBAgueeyQDB0NtRNm+5ta4bb0LC5H7y8EC+zuaG86EH5fkrrnM0FshIKDF Jh7mSQ7QyTv2CMsgC8q+8VYPMp6leOQ0ffHYY8lAAIdkmnYVpwnfKAMQeQZ8ku3E BryIOGvnD7l6PWCzFq04 =tRCk -----END PGP SIGNATURE-----