DROWN attacks vs openssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

DROWN attacks vs openssl

Me_3594
My Shield shows that openssl is at version 1.0.2d 9 Jul 2015 while 1.0.2g is already released according to https://www.openssl.org/

http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/
https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack
https://drownattack.com/

I am reading a lot about this DROWN attack on SSLv2 and I have a VPN setup in Shield. How can I update openssl or what can I do to prevent such attack with 1.0.2d?
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

user8446
Administrator
First, use the latest fw_upgrade script version that forces TLS1.0 connections and above: http://itus.accessinnov.com/Update-script-fw-upgrade-td43.html

Second, update your openSSL version to 1.0.2g:

In /etc/opkg.conf add these lines at the end:

arch cn70xx 100
arch octeon 200
arch all 300

Download the new version from here:
https://downloads.openwrt.org/chaos_calmer/15.05/octeon/generic/packages/base/openssl-util_1.0.2g-1_octeon.ipk

Update it:
opkg install ../openssl-util_1.0.2g-1_octeon.ipk
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Roadrunnere42
Hi
I followed you instructions and get the following

.ipk was download to root and run with opkg install ../openssl-util_1.0.2g-1_octeon.ipk from root

bin                               overlay
dev                               proc
etc                               ramfs
include                           rom
init                              root
lib                               sbin
lib64                             sys
lost+found                        tmp
mnt                               usr
openssl-util_1.0.2g-1_octeon.ipk  var
opt                               www
root@Shield:/# opkg install ../openssl-util_1.0.2g-1_octeon.ipk
Installing openssl-util (1.0.2g-1) to root...
Configuring openssl-util.
Collected errors:
 * resolve_conffiles: Existing conffile /etc/ssl/openssl.cnf is different from the conffile in the new package. The new conffile will be placed at /etc/ssl/openssl.cnf-opkg.
root@Shield:/# cd etc/
root@Shield:/etc# cd ssl
root@Shield:/etc/ssl# ls
certs             openssl.cnf       openssl.cnf-opkg  private

what do i have to do now or is this ok


roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Hans
Administrator
This post was updated on .
Roadrunnere42 wrote
 * resolve_conffiles: Existing conffile /etc/ssl/openssl.cnf is different from the conffile in the new package. The new conffile will be placed at /etc/ssl/openssl.cnf-opkg.
I tried the same steps but stuck right now.

openssl.cnf-opkg and openssl.cnf are exactly the same according to a file compare

now I am getting
root@Shield:/etc/ssl# openvpn
Usage message not available
root@Shield:/etc/ssl# openvpn --help
Usage message not available
root@Shield:/etc/ssl# openvpn version
Options error: In [CMD-LINE]:1: Error opening configuration file: version
Use --help for more information.
root@Shield:/etc/ssl# openssl
-ash: openssl: not found

I made the change in my active shield - not my sandbox  Any way to restore it (besides factory reset)?
root@Shield:/etc/ssl# openssl
OpenSSL> version
OpenSSL 1.0.2d 9 Jul 2015
OpenSSL> help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse      ca             ciphers        cms            crl
....
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
CWS
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

CWS
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

user8446
Administrator
Odd. You don't get that unless the files are different. Here is that file on my box: openssl.cnf

You shouldn't have to downgrade, just reinstall it again. Delete the new .cnf-opkg file, it may conflict. Try the force reinstall option switch and reinstall: opkg install --force-reinstall  
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Hans
Administrator
user8446 wrote
Odd. You don't get that unless the files are different. Here is that file on my box: openssl.cnf

You shouldn't have to downgrade, just reinstall it again. Delete the new .cnf-opkg file, it may conflict. Try the force reinstall option switch and reinstall: opkg install --force-reinstall
This is what is happening:

root@Shield:/etc/ssl# mv openssl.cnf openssl.cnf__
root@Shield:/etc/ssl# cd /
root@Shield:/# opkg install --force-reinstall  openssl-util_1.0.2g-1_octeon.ipk
No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Configuring openssl-util.
root@Shield:/# openssl
-ash: openssl: not found

it is not the path
root@Shield:/# env
SSH_CLIENT=x.x.x.x 1235 22
USER=root
SHLVL=1
OLDPWD=/etc/ssl
HOME=/root
SSH_TTY=/dev/pts/0
PS1=\u@\h:\w\$
LOGNAME=root
TERM=xterm
PATH=/usr/bin:/usr/sbin:/bin:/sbin
SHELL=/bin/ash
PWD=/
SSH_CONNECTION=x.x.x.y 1235 x.x.x.x 22
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

user8446
Administrator
What are you getting on this?

opkg info openssl-util
Running in bridge mode, 1.51 SP1 fw
CWS
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

CWS
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Roadrunnere42
In reply to this post by user8446
I removed the file as you said and ran the following

 opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk

No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * ohns
 * opkg_install_cmd: Cannot install package openssl-util.

I then ran

opkg info openssl-util
Package: openssl-util
Version: 1.0.2g-1
Depends: libc, libopenssl
Status: install prefer,user not-installed
Architecture: octeon
Conffiles:
 /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0


so am i running 1.02g-1 already

roadrunnere42


Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Hans
Administrator
Roadrunnere42 wrote
I removed the file as you said and ran the following

 opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk

No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * ohns
 * opkg_install_cmd: Cannot install package openssl-util.

I then ran

opkg info openssl-util
Package: openssl-util
Version: 1.0.2g-1
Depends: libc, libopenssl
Status: install prefer,user not-installed
Architecture: octeon
Conffiles:
 /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0


so am i running 1.02g-1 already

roadrunnere42
This is what I got on a 1.51SP1 clean (!) router-mode shield:

root@Shield:/# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/luci
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/management
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/telephony
# src/gz chaos_calmer_targets http://downloads.openwrt.org/chaos_calmer/15.05-rc3/octeon/generic/packages/targets
#option check_signature 1
arch cn70xx 100
arch octeon 200
arch all 300
root@Shield:/# openssl version
OpenSSL 1.0.2d 9 Jul 2015
root@Shield:/# curl -k https://downloads.openwrt.org/chaos_calmer/15.05/octeon/generic/packages/base/openssl-util_1.0.2g-1_octeon.ipk -o openssl-util_1.0.2g-1_octeon.ipk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  188k  100  188k    0     0   119k      0  0:00:01  0:00:01 --:--:--  120k
root@Shield:/# ls -al
drwxr-xr-x   17 root     root          4096 Nov 26 03:01 .
drwxr-xr-x   17 root     root          4096 Nov 26 03:01 ..
drwxr-xr-x    2 root     root          4096 Nov 26 03:01 bin
drwxr-xr-x    5 root     root         11280 Nov 26 03:00 dev
drwxrwxr-x   26 root     root          4096 Nov 26 03:01 etc
drwxr-xr-x    3 root     root          4096 Nov 26 03:01 include
-rwxrwxr-x    1 root     root          1647 May  4  2015 init
drwxr-xr-x   12 root     root          4096 Nov 10 05:39 lib
lrwxrwxrwx    1 root     root             3 Nov 26 03:01 lib64 -> lib
drwx------    2 root     root         16384 Nov 26 03:01 lost+found
drwxr-xr-x    2 root     root          4096 May  4  2015 mnt
-rw-r--r--    1 root     root        193192 Nov 26 03:01 openssl-util_1.0.2g-1_octeon.ipk
dr-xr-xr-x   73 root     root             0 Jan  1  1970 proc
drwxrwxr-x    2 root     root          4096 Nov 26 03:01 rom
drwxr-xr-x    2 root     root          4096 May  4  2015 root
drwxr-xr-x    2 root     root          4096 Nov 26 03:01 sbin
dr-xr-xr-x   11 root     root             0 Jan  1  1970 sys
drwxrwxrwt   18 root     root           480 Nov 26 03:01 tmp
drwxr-xr-x    8 root     root          4096 Aug 20 03:18 usr
lrwxrwxrwx    1 root     root             4 Nov 26 03:01 var -> /tmp
drwxrwxr-x    6 root     root          4096 Nov 26 03:01 www
root@Shield:/# opkg install ./openssl-util_1.0.2g-1_octeon.ipk
root@Shield:/# openssl version
OpenSSL 1.0.2d 9 Jul 2015
root@Shield:/# env
SHLVL=2
OLDPWD=/overlay
HOME=/root
PS1=\u@\h:\w\$
TERM=linux
serial#=my_sandbox
PATH=/usr/bin:/usr/sbin:/bin:/sbin
numcores=2
PWD=/
root@Shield:/# env
root@Shield:/# opkg install ./openssl-util_1.0.2g-1_octeon.ipk
Upgrading openssl-util on root from 1.0.2a-0 to 1.0.2g-1...
Configuring openssl-util.
root@Shield:/# openssl version
/bin/ash: openssl: not found
root@Shield:/#  opkg install --force-reinstall ./openssl-util_1.0.2g-1_octeon.ipk
No packages removed.
Installing openssl-util (1.0.2g-1) to root...
Collected errors:
 * check_data_file_clashes: Package openssl-util wants to install file /usr/bin/openssl
        But that file is already provided by package  * o_Velho
 * opkg_install_cmd: Cannot install package openssl-util.
root@Shield:/# openssl version
/bin/ash: openssl: not found
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

user8446
Administrator
In that case a   --force-overwrite   should do the trick.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Wisiwyg
This post was updated on .
OpenSSL has been updated to 1.0.2h due to vulnerabilities in prior versions...

The Chaos Calmer repo has not been updated yet.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

user8446
Administrator
You can now get 1.0.2h in the snapshot openwrt repo:

https://downloads.openwrt.org/snapshots/trunk/octeon/generic/packages/base/openssl-util_1.0.2h-1_octeon.ipk
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Gnomad
Thanks - installed very quickly and simply for me:
root@Shield:/tmp/ramdisk# opkg install openssl-util_1.0.2h-1_octeon.ipk
Upgrading openssl-util on root from 1.0.2g-1 to 1.0.2h-1...
Configuring openssl-util.

root@Shield:/tmp/ramdisk# opkg info openssl-util
Package: openssl-util
Version: 1.0.2h-1
Depends: libc, libopenssl
Status:  install user installed
Architecture: octeon
Conffiles:      /etc/ssl/openssl.cnf 06baa8f15992bacd3e5b113cd571d828c0
Installed-Time: 1462973213
Router 1.51 SP1, fw_upgrade v8.3.6
Reply | Threaded
Open this post in threaded view
|

Re: DROWN attacks vs openssl

Roadrunnere42
In reply to this post by Wisiwyg
Hi Wisiwyg

very easy  to upgrade and thanks for the reminder

roadrunnere42