No sooner do I read this evening that Fedora and others a re quickly working to get OpenSSL 1.0.1e out to fix the latest TLS bug that I log into my 516 to see what version it's running. Oh my, 1.0.1e. When did that happen? Are there magic upgrade faeries on the NAS? :D

OpenSSL 1.0.1e is over a year old. It does not fix the latest TLS bug reported today (CVE-2014-0160, aka "Heartbleed"). All versions of OpenSSL 1.0.1 before 1.0.1g are vulnerable, as are the 1.0.2 betas up to and including 1.0.2-beta1.The 1.0.0 and 0.9.8 branches are NOT affected, although of course they have other vulnerabilities and non-security bugs that have been fixed in the later versions.ReadyNAS devices running OS4 are unaffected by the new bug; they're running 0.9.8o at best. I don't know what version of OpenSSL is running on the OS5 devices.

Yeah, I was reading more about the patch and realized it's 1.0.1g that has the fix. So ROS 6.1.6 is definitely vulnerable.

My RN102 is running OpenSSL 1.0.1e as part of OS6.1.6,Can we upgrade it by hand or do we have to wait for an update from Netgear?

I wouldn't wait for an update. With Netgear's average speed of updating, you'll be waiting for months.Download either the AMD64 or i386 package depending on the architecture of your NAS. To find out which one you need, log in to SSH on your device and type "uname -m". If that returns "x86" take the i386, if it returns "x86_64" use the AMD64 version.AMD64: http://security.debian.org/debian-secur ... _amd64.debi386: http://security.debian.org/debian-secur ... 5_i386.debWhile in SSH, enter the following commands:AMD64:wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_amd64.debdpkg -i openssl_1.0.1e-2+deb7u5_amd64.debservice apache2 restartservice ssh restarti386:wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_i386.debdpkg -i openssl_1.0.1e-2+deb7u5_i386.debservice apache2 restartservice ssh restartYou're good to go.

Don't those two options both re-install the current (insecure) version - 1.0.1e?I believe the fixed version is 1.0.1g, which I don't see anywhere.

ROS 6, OpenSSL, and package updates?

47 Replies

Replies have been turned off for this discussion

hunger

Apprentice

Apr 11, 2014

# dpkg -l | grep libssl
ii  libssl1.0.0:amd64               1.0.1e-2+deb7u3               amd64        SSL shared libraries

hunger
Apprentice
Apr 11, 2014
Guess I need libssl1.0.0_1.0.1e-2+deb7u6_amd64.deb too.

hunger

Apprentice

Apr 11, 2014

I did this:

wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1e-2+deb7u6_amd64.deb
dpkg -i libssl1.0.0_1.0.1e-2+deb7u6_amd64.deb
service apache2 restart
service ssh restart

That fixed it.

arnomc
Aspirant
Apr 11, 2014
I have the same problem as yours : the test page http://filippo.io/Heartbleed/ give me 1 third of green ok and 2/3 of red still vulnerable. After reading the FAQ, I think I am still vulnerable :/

fastfwd

Virtuoso

Apr 11, 2014

arnomc wrote:
I have the same problem as yours : the test page http://filippo.io/Heartbleed/ give me 1 third of green ok and 2/3 of red still vulnerable. After reading the FAQ, I think I am still vulnerable :/

arnomc wrote:
I have the same problem as yours : the test page http://filippo.io/Heartbleed/ give me 1 third of green ok and 2/3 of red still vulnerable. After reading the FAQ, I think I am still vulnerable :/

Right. The directions that you posted earlier are incomplete: Both the openssl package and the libssl1.0.0 package must be updated.

arnomc
Aspirant
Apr 11, 2014
Thanks for your input fastfwd, I already corrected my post.
xeltros
Apprentice
Apr 11, 2014
I'd like to temperate a bit. Yes you NAS are vulnerable unless fully patched (in security, the overall security level is the one of the weakest link).
That said I don't see anyone wanting to put some effort hacking a single NAS in an unknown network. If you use them in enterprise, they don't have access to internet, so danger comes only from insiders (yep I know most of critical attacks on an information system come from inside).
On top of that I read this : http://www.theverge.com/2014/4/11/56043 ... -after-all

So if you want to patch, do it, that's always a good idea to be fully patched. Otherwise I think you'll need to wait a month at least to get official patch unless it's been silently released under 6.1.7 security fix section. (6.1.7 has gone final today, so no RC6 to fix it and I don't think 6.2.0 will be released in april, I may be wrong though).

ljung

Tutor

Apr 11, 2014

xeltros wrote:
I'd like to temperate a bit. Yes you NAS are vulnerable unless fully patched (in security, the overall security level is the one of the weakest link).
That said I don't see anyone wanting to put some effort hacking a single NAS in an unknown network. If you use them in enterprise, they don't have access to internet, so danger comes only from insiders (yep I know most of critical attacks on an information system come from inside).
On top of that I read this : http://www.theverge.com/2014/4/11/56043 ... -after-all

So if you want to patch, do it, that's always a good idea to be fully patched. Otherwise I think you'll need to wait a month at least to get official patch unless it's been silently released under 6.1.7 security fix section. (6.1.7 has gone final today, so no RC6 to fix it and I don't think 6.2.0 will be released in april, I may be wrong though).

xeltros wrote:
I'd like to temperate a bit. Yes you NAS are vulnerable unless fully patched (in security, the overall security level is the one of the weakest link). That said I don't see anyone wanting to put some effort hacking a single NAS in an unknown network. If you use them in enterprise, they don't have access to internet, so danger comes only from insiders (yep I know most of critical attacks on an information system come from inside). On top of that I read this : http://www.theverge.com/2014/4/11/56043 ... -after-all So if you want to patch, do it, that's always a good idea to be fully patched. Otherwise I think you'll need to wait a month at least to get official patch unless it's been silently released under 6.1.7 security fix section. (6.1.7 has gone final today, so no RC6 to fix it and I don't think 6.2.0 will be released in april, I may be wrong though).

Did the 6.1.7 update before and I think its patched (I did not upgrade the packages myself so must have been the firmware).

root@e1:~# dpkg -l | grep ssl
ii libssl1.0.0:armel 1.0.1e-2+deb7u6 armel SSL shared libraries
ii openssl 1.0.1e-2+deb7u6 armel Secure Socket Layer (SSL) binary and related cryptographic tools

root@e1:~# openssl version -b
built on: Tue Apr 8 10:12:55 UTC 2014

xeltros
Apprentice
Apr 11, 2014
Checked one minute ago (I always check backups before upgrading firmware), same result here, aptitude doesn't have any updated version either. So yes may be fixed (silently like suggested in my post). I can't take heart bleed test since my NAS isn't internet accessible so the tester will have a firewall drop packet and will say I'm good to go no matter the openssl version I have ;)
alanwsg1
Aspirant
Apr 11, 2014
Just updated my RN102 to OS6.1.7 and can confirm it's fixed.
Using http://filippo.io/Heartbleed/ it showed it vulnerable at 6.1.6, secure at 6.1.7

Forum Discussion

ROS 6, OpenSSL, and package updates?

47 Replies

Related Content

R8500 Unable to update the OpenVPN Configuration Package

FIRMWARE UPDATE: Orbi 870 Series v10.5.20.4

M4250 driver update issue

Package loss with RAX200

Orbi RBR750 satelite update without ethernet

NETGEAR Academy

ProSupport for Business