OpenSSL Security issues

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Apr 8 23:50:25 CEST 2014


On 8 Apr 2014, at 21:32, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> 
> On 8 Apr 2014, at 20:42, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
>> But sites (well, admins) who are unaware may enable the cache. .. It which case there should be an interlock which means they must also turn off the openssl version check safety trigger too? 
>> 
>> As the heartbleed issue isn't as shocking as feared for freeradius is there any need for the current check to be so hard on you if you've got 1.0.1 < g installed now? (However, I'm guessing yes if you run other SSL/TLS services on the same box eg Web server since attacker can scan your memory slowly, so just protecting them from themselves)
> 
> Memory protection should kick in and trigger a SEGV if they tried to read memory alloced to another process.

Anyway, tweaked the security.allow_vulnerable_openssl behaviour.

In tls.c there's now the start of what i'm sure will become 
large and depressing array:

/* Record critical defects in libssl here (newest first)*/
static libssl_defect_t libssl_defects[] =
{
	{
		.low		= 0x010001000,		/* 1.0.1  */
		.high		= 0x01000106f,		/* 1.0.1f */
		.id		= "CVE-2014-0160",
		.name		= "Heartbleed",
		.comment	= "For more information see http://heartbleed.com"
	}
};

If security.allow_vulnerable_openssl == libssl_defects[0].id then the check is disabled.

If security.allow_vulnerable_openssl == 'yes' then the check is disabled.

Server will output something like:
Refusing to start with libssl version OpenSSL 1.0.1 14 Mar 2012 0x01000100f (1.0.1 15) (in range 1.0.1-0 - 1.0.1f-15)
Security advisory Heartbleed (CVE-2014-0160)
For more information see http://heartbleed.com

For each applicable vulnerability, then:
Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'

This way it's not a one time thing the admin disables and forgets about.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140408/03750ab5/attachment.pgp>


More information about the Freeradius-Users mailing list