Posted: Wed Apr 09, 2014 20:09 Post subject: Heartbleed Fix without updated build
Are there any configuration solutions to resolve the heartbleed vulnerability? I see kong has a build but I'd rather not go down that road, things are stable here.
Router Name DD-WRT
Router Model Dlink-DIR-632A
Firmware Version DD-WRT v24-sp2 (05/27/13) std - build 21676
Alright, I'll word it this way. OpenSSL is the component that has the bug, therefore the only fix is to be running a version of OpenSSL that is not vulnerable.
No configuration of any kind will help you here. The OpenSSL libraries have a vuln, they need to be fixed. Without changing builds you can't do that. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.
A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.
A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.
A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.
Yes
Then you'll need to get a new build. Enabling/disabling TLS heartbeat is configured at buildtime, not at runtime.
if you have a usb port you can override the bad files
you will need a ext2 formated flash drive with the updated library files on it
you will need to mount it then bind the new libraries to the old libraries
Code:
mount --bind /path/to/oldLIB /path/to/newLIB
you will need to stop your openssl server while you run the bind commands
edit:
this seems to be necessary as ddwrt appears to not be vulnerable, at least build 23838
i used this script to check
http://pastebin.com/1HxgWpTN
put ips to scan in a scan.txt file and run the script in python _________________ Router: Buffalo WZR-300HP w/ DD-WRT build #28444
if you have a usb port you can override the bad files
you will need a ext2 formated flash drive with the updated library files on it
you will need to mount it then bind the new libraries to the old libraries
Code:
mount --bind /path/to/oldLIB /path/to/newLIB
you will need to stop your openssl server while you run the bind commands
edit:
this seems to be necessary as ddwrt appears to not be vulnerable, at least build 23838
i used this script to check
http://pastebin.com/1HxgWpTN
put ips to scan in a scan.txt file and run the script in python
Wouldn't the libraries need to come from a new build with the patched libraries (which does not exist yet)
you could compile them from source
did you test to see if your router was vulnerable to heartbleed? _________________ Router: Buffalo WZR-300HP w/ DD-WRT build #28444