pfSense Support Subscription

Author Topic: OpenSSL CVE-2016-0800 a.k.a. "Drown"  (Read 4809 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
OpenSSL CVE-2016-0800 a.k.a. "Drown"
« on: March 01, 2016, 08:59:14 am »
tl;dr version: Drown attacks SSLv2, we have disabled SSLv2 for the GUI since April 2011 (Nearly 5 years ago). Nothing to get excited about with respect to the firewall.

See also: https://www.openssl.org/news/secadv/20160301.txt

It may be possible to configure a package in a vulnerable way (Apache+mod_security, Squid reverse proxy, haproxy), but odds are if you fixed your config for POODLE by disabling SSLv3 you probably already disabled SSLv2 back then.

Still it's a good time to check other SSL-enabled services like SMTP and POP3/IMAP to make sure you have SSLv2 and SSLv3 disabled there as well.

There are some other OpenSSL issues in the advisory but none of them appear to affect us in a significant way. Still not likely to require a pfSense 2.2.7 with 2.3 so close, but it's still being discussed.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline KOM

  • Hero Member
  • *****
  • Posts: 5412
  • Karma: +674/-19
    • View Profile
Re: OpenSSL CVE-2016-0800 a.k.a. "Drown"
« Reply #1 on: March 02, 2016, 11:31:28 am »
Any thoughts of dumping OpenSSL for LibreSSL?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: OpenSSL CVE-2016-0800 a.k.a. "Drown"
« Reply #2 on: March 02, 2016, 12:31:36 pm »
None at all that I'm aware of. So far their track record hasn't been inspiring. Sounds good on paper, but practically it's not as big an advantage as some would like you to believe.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline 2chemlud

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +20/-5
    • View Profile
Re: OpenSSL CVE-2016-0800 a.k.a. "Drown"
« Reply #3 on: March 04, 2016, 05:10:10 pm »
"Why does your tool say I support SSLv2, but nmap says I don't?

Due to CVE-2015-3197, OpenSSL may still accept SSLv2 connections even if all SSLv2 ciphers are disabled."

https://drownattack.com/#faq-pfs

...just saying


And btw, I guess many are not going to switch directly to 2.3, even if available, but stick to 2.2.X for production
https://www.youtube.com/watch?v=TlBIa8z_Mts

I have been permanently banned from posting/PM on this forum. Sorry, no replies... ;-)

Offline pgb

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: OpenSSL CVE-2016-0800 a.k.a. "Drown"
« Reply #4 on: March 30, 2016, 09:06:35 am »
My default installation of Squid Reverse Proxy is vulnerable. How can I disable SSLv2 and SSLv3? I haven't found a way in the UI.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: OpenSSL CVE-2016-0800 a.k.a. "Drown"
« Reply #5 on: April 01, 2016, 01:34:26 pm »
Try posting that in a message on the Cache/Proxy board, you'll have better luck there. There is likely an advanced configuration directive you need to use.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!