| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007804 | Kali Linux | Kali Package Bug | public | 2022-07-18 09:43 | 2022-08-29 01:11 |
| Reporter | kzb | Assigned To | sbrun | ||
| Priority | immediate | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2022.2 | ||||
| Fixed in Version | 2022.3 | ||||
| Summary | 0007804: msfsconsole, msfvenom crashing on newst kali | ||||
| Description | Hi, like titlte immediate patch is needed! Do not upgrade until fixed, please! | ||||
| Steps To Reproduce | sudo apt-get full-upgrade -y | ||||
| Additional Information | see Screenshot | ||||
 |
initial report by: aBcDefgHIjKlMnOp (alphabetman) on offsec discord issue id 16782 on github (probably ref link to another issue) |
 |
Upstream tickets: |
 |
Hi team, Kindly find the fix I've provided here: https://github.com/rapid7/metasploit-framework/issues/16782#issuecomment-1188326052 |
 |
The Metasploit team has patch applied to mitigate the crash on Metasploit 6.2.8 - https://github.com/rapid7/metasploit-framework/pull/16771. I don't believe this version is available on Kali yet, which only seems to offer 6.2.6 currently The fix can be applied locally for Kali - https://github.com/rapid7/metasploit-framework/issues/16767#issuecomment-1185395510 |
|
|
I haven't verified yet, but based on what I'm seeing in terms of the API changes with the OpenSSL 3.0 upgrade there may be other impacted tools in Kali's ecosystem - in particular Ruby tools |
 |
Hi I just uploaded a new version 6.2.7-0kali2. I removed the renaming and I included the fix of the gem hrr_rb_ssh. It should be available in few hours on all the mirrors. |
|
|
Thanks for the update sbrun :+1: After more digging on Metasploit's side - it looks like Metasploit's SMB modules, and a handful of other modules that rely on RubyNTLM crypto, or legacy crypto in general such as des/rc4/etc, will be broken by the OpenSSL 3.0 changes as well. Is it possible to pin Kali to OpenSSL 1.1.1 for a bit longer until there's more of a QA pass on Metasploit and Kali's other tools? Fixing Metasploit's transitive dependencies in Ruby gems will take a while to sort out. |
|
|
Unfortunately I don't see any obvious way to use OpenSSL 1.1.1 in Kali. Most of the packages are from Debian (like ruby, openssl...) and Debian has switched to OpenSSL3. The packages using OpenSSL in Debian have been rebuilt against OpenSSL 3 and they now require OpenSSL3. I need to check what I can do without breaking the other Debian packages. |
|
|
Thanks for taking a look :+1: Just an update on our side - I'm working through upgrading metasploit-framework for improved OpenSSL 3 support currently - https://github.com/rapid7/metasploit-framework/pull/16800. The unit tests are now passing green, but there will still be modules that are broken if OpenSSL is being used and there's not a corresponding unit test to catch regressions. So far there's 4 Ruby library dependencies that will need updated upstream to work with OpenSSL 3 - I've got PRs created for 3 of the libraries now. We might need to temporarily fork/monkey patch those libraries on Rapid7's side to unblock a release. I'm hoping to get our changes landed for the next release or so, so hopefully 1-2 weeks. I haven't tested other Ruby tools in Kali's ecosystem, but there's the potential for those tools to also have issues. |
 |
This is now fixed with metasploit-framework 6.2.7-0kali3 in kali repositories |
