OpenSSL heartbleed Vulnerability

[PhAzE]

Hey,  so I've checked the version currently used in Unraid 6 beta 3 and it's OpenSSL 1.0.1e which is affected by the bug announced yesterday. The next beta should be updated to OpenSSL 1.0.1g or anything in the 0.9.8 or 1.0.0 branches to prevent any hackers from gaining full access to your ram. 

 

This is especially bad in this case since the entire OS is stored in ram and the bug gives the attacker full access to everything in RAM.

 

Affected versions of OpenSSL are 1.0.1 to 1.0.1f (g is not affected nor are the other branches lower than 1.0.1)

[boof]

This is especially bad in this case since the entire OS is stored in ram and the bug gives the attacker full access to everything in RAM.

 

This isn't true at all. They get a specific 64k segment which may or may not contain 'useful' data.

 

openssl in unraid may be vulnerable but if there is nothing in unraid built against it or actually using it for outward facing services then there should be no exposure.

 

I don't think emhttp runs over https so for 'stock' unraid does anything actually use it?

 

Third party plugins would be a completely seperate conversation.

 

And of course the overriding point is that the usual advice here is not to expose unraid to the internet. I personally don't have a problem with doing so but certainly 'out of the box' it wouldn't be a good idea.

 

Overall I suspect your vlnerability, for a standard unraid install, would be extremely low.

 

[speeding_ant]

Currently, especially if your webGUI is password protected, there is a high chance that someone on your network could very easily gain access to your unRAID server. You transmit your password essentially in plain text over your network at the moment, which is something SSL is designed to prevent.

 

Even with the vulnerability, you'd still be safer now with OpenSSL than without.

 

If you're on a home network, it's not really worth worrying about... the risk is relatively low. If you're running unRAID in a corporate environment, you'd better be sure it's segregated from primary networks if you're even slightly worried about the contents of your server.