6

I have one specific package (moodle) which is not available on newer versions of the aforementioned OS. The last version of moodle was available on OpenBSD 5.3, which is more than 4 years old.

Knowing of OpenBSD's impressive security track record, is there a security risk in installing the moodle package (www.moodle.org) on an OpenBSD 5.3 server exposed to Internet?

HopelessN00b
  • 3,385
  • 19
  • 27
user166931
  • 69
  • 2

2 Answers2

25

I have one specific package (moodle) which is not available on newer versions of aforementioned OS (last version of moodle was available on OpenBSD 5.3) which is more than 4 years old.

In my opinion you ask the wrong question. The problem is less the old version of OpenBSD but more the old version of Moodle you want to run on this OpenBSD version. Although you don't specify details my guess is that you want to use this package (or here) which contains Moodle 1.9.16 on PHP 5.4 - both being very old.

OpenBSD releases are supported essentially for one year. Running a version of OpenBSD which is more than 3 years out of support can maybe done if you really know what you are doing to keep the attack surface minimal enough - for example by only having SSH access with only key based authentication and if you have no untrusted users on your system.

But, running a large web application like Moodle definitely does not count as minimal attack surface. Web applications are usually complex and often have security vulnerabilities, sometimes even critical ones which allow remote code execution. And such vulnerabilities also exist with older versions of Moodle as a simple search shows. And while sometimes critical fixes get backported to older versions you can see from the commit history that the last change on this package was done 2012-01-21. I guess that this non-maintenance of the package was also the reason that it got removed from ports on 2013-09-20.

In other words: Running an old version of a large and complex application like Moodle with known critical security vulnerabilities is a very bad idea. And the security of OpenBSD will not help to protect you much in this case. It will not help much if you use a current version and it will help even less if use use an old and unmaintained version of OpenBSD.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • But I don't think the OP is planning to run an old version of moodle. Rather, they are going to run the latest version of Moodle on an old version of OpenBSD. – Cave Johnson Dec 26 '17 at 18:36
  • 4
    @KodosJohnson: the OP wants to use an old version of OpenBSD since this is the only one where a Moodle package exists. Do you believe that a recent version of Moodle is supported only on a long unsupported OpenBSD version? According to [this](http://ports.su/www/moodle) it is probably the very old moodle 1.9.16 on also old PHP 5.4 – Steffen Ullrich Dec 26 '17 at 18:42
  • There’s nothing wrong with running PHP 5.4 code in 2017. PHP is routinely backported for patches across systems that are in LTS (Long Term Service) and are stable/rock solid. The whole purpose of backporting is to allow older, stable versions of software to be used on more modern setups. – Giacomo1968 Dec 27 '17 at 04:22
  • 1
    @JakeGould: PHP 5.4 end of life was September 2015. No fixes were done after 2015/09/03. See the official information about [Unsupported Branches](https://secure.php.net/eol.php). Anyway, the worst thing is the old Moodle version and not the old PHP or OpenBSD versions. – Steffen Ullrich Dec 27 '17 at 06:02
  • Sorry for my ignorance, but I supposed that packages on OpenBSD are going through almost same scrutiny and high security standard like OpenBSD OS.. – user166931 Dec 27 '17 at 07:04
  • @user166931: From [the FAQ](https://www.openbsd.org/faq/faq15.html): *"The ports collection does __not__ go through the same thorough security audit that is performed on the OpenBSD base system"*. Also, the package was removed from OpenBSD ports for a reason. And looking at the state of the package this reason was probably because nobody was maintaining it anymore and thus security (and other) issues did not get fixed. – Steffen Ullrich Dec 27 '17 at 07:08
  • @SteffenUllrich You miss the point about back ports. Here [read this example from Red Hat](https://access.redhat.com/security/updates/backporting): “For this reason, Red Hat provided (backported) the fix for this issue to the PHP 5.3 packages shipped with Red Hat Enterprise Linux 6 so that customers could keep using PHP 5.3 and would mitigate CVE-2014-3670 at the same time.” It means that if you use a respected package system, even if something is officially EOL, the maintainers of that packaging system have made a commitment to back port patches from 5.4 to 5.3 to support their users. – Giacomo1968 Dec 27 '17 at 16:01
  • @JakeGould: You are correct that OpenBSD also does some support some end of life versions of PHP with backporting. But since support times for OpenBSD release are much shorter compared to RHEL (there is no OpenBSD LTS) and the user base is much smaller (i.e. less need for backports and less man power to do it) there is no such extensive backporting done. As for PHP 5.4 it looks like some patches were done after the latest release for a few month. But this PHP version was finally removed from ports 20 month ago. See http://openports.se/hist/lang/php/5.4 – Steffen Ullrich Dec 27 '17 at 16:25
6

BSD has nothing to do with it (but it's a good choice).

Running older software is quite possible if properly patched.

Google and the CVE DB is your friend

https://www.google.com/search?q=open+bsd+5.3+vulnerabilities

https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-121223/Openbsd-Openssh-5.3.html

Determine the nine vulnerabilities are relevant to your configuration and deployment and whether you can patch them.

Search for Moodle and any other services you plan to advertise on the web for CVE's, determine their relevance and patch accordingly.

IF YOU DETERMINE some vulnerabilities cannot be patched or mitigated, then determine if a secure tunneling method suits your accessibility requirements, i.e. a firewall rule granting access to specific ranges of IP addresses, a VPN to your edge router which provides controlled access to your Moodle box.

These are general options to a vast array of solutions that will accomplish your objective !

enter image description here