Relationship Graph

Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0007804Kali LinuxKali Package Bugpublic2022-08-29 01:11
Reporterkzb Assigned Tosbrun  
PriorityimmediateSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version2022.2 
Fixed in Version2022.3 
Summary0007804: msfsconsole, msfvenom crashing on newst kali
Description

Hi, like titlte
error is: ruby 3.0; pkeys are immuatable on OpenSSL 3.0 OopenSSL::PKey::PKeyError

immediate patch is needed! Do not upgrade until fixed, please!

Steps To Reproduce

sudo apt-get full-upgrade -y
msfconsole (start msf)
or
msfvenom

Additional Information

see Screenshot

Attached Files
Screenshot_20220718_114040.png (82,688 bytes)   
Screenshot_20220718_114040.png (82,688 bytes)   

Relationships

has duplicate 0007808 closedsbrun Update error metasploit 
has duplicate 0007809 closed msfsconsole, msfvenom crashing on newst kali. 
related to 0007863 resolvedsbrun msf warnings: already initialized constant 

Activities

kzb

kzb

2022-07-18 10:17

reporter   ~0016399

initial report by: aBcDefgHIjKlMnOp (alphabetman) on offsec discord

issue id 16782 on github (probably ref link to another issue)

rhertzog

rhertzog

2022-07-18 14:43

administrator   ~0016400

Upstream tickets:
https://github.com/rapid7/metasploit-framework/issues/16780
https://github.com/rapid7/metasploit-framework/issues/16782

X0RW3LL

X0RW3LL

2022-07-18 21:40

reporter   ~0016401

Hi team,

Kindly find the fix I've provided here: https://github.com/rapid7/metasploit-framework/issues/16782#issuecomment-1188326052

adfoster-r7

adfoster-r7

2022-07-18 23:33

reporter   ~0016402

The Metasploit team has patch applied to mitigate the crash on Metasploit 6.2.8 - https://github.com/rapid7/metasploit-framework/pull/16771. I don't believe this version is available on Kali yet, which only seems to offer 6.2.6 currently

The fix can be applied locally for Kali - https://github.com/rapid7/metasploit-framework/issues/16767#issuecomment-1185395510

adfoster-r7

adfoster-r7

2022-07-20 01:27

reporter   ~0016406

I haven't verified yet, but based on what I'm seeing in terms of the API changes with the OpenSSL 3.0 upgrade there may be other impacted tools in Kali's ecosystem - in particular Ruby tools

sbrun

sbrun

2022-07-20 10:19

manager   ~0016407

Hi
I have uploaded the version 6.2.7-0kali1 yesterday. It was only a renaming of the ssh module.

I just uploaded a new version 6.2.7-0kali2. I removed the renaming and I included the fix of the gem hrr_rb_ssh. It should be available in few hours on all the mirrors.

adfoster-r7

adfoster-r7

2022-07-20 12:45

reporter   ~0016408

Thanks for the update sbrun :+1:

After more digging on Metasploit's side - it looks like Metasploit's SMB modules, and a handful of other modules that rely on RubyNTLM crypto, or legacy crypto in general such as des/rc4/etc, will be broken by the OpenSSL 3.0 changes as well.

Is it possible to pin Kali to OpenSSL 1.1.1 for a bit longer until there's more of a QA pass on Metasploit and Kali's other tools? Fixing Metasploit's transitive dependencies in Ruby gems will take a while to sort out.

sbrun

sbrun

2022-07-21 12:25

manager   ~0016415

Unfortunately I don't see any obvious way to use OpenSSL 1.1.1 in Kali.

Most of the packages are from Debian (like ruby, openssl...) and Debian has switched to OpenSSL3. The packages using OpenSSL in Debian have been rebuilt against OpenSSL 3 and they now require OpenSSL3.
Ruby 3 now requires OpenSSL3 in Kali . I can't change that easily.

I need to check what I can do without breaking the other Debian packages.

adfoster-r7

adfoster-r7

2022-07-21 16:02

reporter   ~0016416

Thanks for taking a look :+1:

Just an update on our side -

I'm working through upgrading metasploit-framework for improved OpenSSL 3 support currently - https://github.com/rapid7/metasploit-framework/pull/16800. The unit tests are now passing green, but there will still be modules that are broken if OpenSSL is being used and there's not a corresponding unit test to catch regressions.

So far there's 4 Ruby library dependencies that will need updated upstream to work with OpenSSL 3 - I've got PRs created for 3 of the libraries now. We might need to temporarily fork/monkey patch those libraries on Rapid7's side to unblock a release. I'm hoping to get our changes landed for the next release or so, so hopefully 1-2 weeks.

I haven't tested other Ruby tools in Kali's ecosystem, but there's the potential for those tools to also have issues.

daniruiz

daniruiz

2022-07-22 09:36

manager   ~0016418

This is now fixed with metasploit-framework 6.2.7-0kali3 in kali repositories

Issue History

Date Modified Username Field Change
2022-07-18 09:43 kzb New Issue
2022-07-18 09:43 kzb File Added: Screenshot_20220718_114040.png
2022-07-18 10:17 kzb Note Added: 0016399
2022-07-18 14:43 rhertzog Note Added: 0016400
2022-07-18 14:43 rhertzog Assigned To => sbrun
2022-07-18 14:43 rhertzog Status new => assigned
2022-07-18 21:40 X0RW3LL Note Added: 0016401
2022-07-18 23:33 adfoster-r7 Note Added: 0016402
2022-07-20 01:27 adfoster-r7 Note Added: 0016406
2022-07-20 10:19 sbrun Note Added: 0016407
2022-07-20 12:45 adfoster-r7 Note Added: 0016408
2022-07-20 15:38 Demonroyal Issue cloned: 0007809
2022-07-20 17:03 sbrun Relationship added has duplicate 0007808
2022-07-21 12:25 sbrun Note Added: 0016415
2022-07-21 16:02 adfoster-r7 Note Added: 0016416
2022-07-22 09:36 daniruiz Note Added: 0016418
2022-07-22 09:36 daniruiz Status assigned => resolved
2022-07-22 09:36 daniruiz Resolution open => fixed
2022-07-22 09:36 daniruiz Fixed in Version => 2022.3
2022-08-05 12:38 g0tmi1k Relationship added has duplicate 0007809
2022-08-26 07:14 sbrun Relationship added related to 0007863