Heartbleed Fix without updated build

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Wed Apr 09, 2014 20:09    Post subject: Heartbleed Fix without updated build Reply with quote
Are there any configuration solutions to resolve the heartbleed vulnerability? I see kong has a build but I'd rather not go down that road, things are stable here.

Router Name DD-WRT
Router Model Dlink-DIR-632A
Firmware Version DD-WRT v24-sp2 (05/27/13) std - build 21676
Sponsor
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Wed Apr 09, 2014 21:21    Post subject: Reply with quote
OpenSSL was updated in SVN.

http://svn.dd-wrt.com/changeset/23882

I'm sure a new build will be rolled soon.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Wed Apr 09, 2014 21:24    Post subject: Reply with quote
James2k wrote:
OpenSSL was updated in SVN.

http://svn.dd-wrt.com/changeset/23882

I'm sure a new build will be rolled soon.


Not my question.
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Wed Apr 09, 2014 21:27    Post subject: Reply with quote
Alright, I'll word it this way. OpenSSL is the component that has the bug, therefore the only fix is to be running a version of OpenSSL that is not vulnerable.

No configuration of any kind will help you here. The OpenSSL libraries have a vuln, they need to be fixed. Without changing builds you can't do that.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
code65536
DD-WRT User


Joined: 28 Dec 2011
Posts: 100
Location: .us

PostPosted: Thu Apr 10, 2014 0:49    Post subject: Reply with quote
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.

A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Thu Apr 10, 2014 1:03    Post subject: Reply with quote
code65536 wrote:
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.

A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.


Yes
code65536
DD-WRT User


Joined: 28 Dec 2011
Posts: 100
Location: .us

PostPosted: Thu Apr 10, 2014 1:09    Post subject: Reply with quote
kev_rm wrote:
code65536 wrote:
Are you actually using OpenSSL on your router, though? E.g., do you remote management over HTTPS turned on or use OpenVPN? By default, the components that use TLS aren't actually active, and if that's the case, then there's nothing you need to do.

A new build is needed only if your router contains a vulnerable build (19163 <= build < 23882) and the components that use OpenSSL are actually in use.


Yes

Then you'll need to get a new build. Enabling/disabling TLS heartbeat is configured at buildtime, not at runtime.
evilkitty
DD-WRT User


Joined: 12 Mar 2014
Posts: 167
Location: USA

PostPosted: Sat Apr 12, 2014 22:58    Post subject: Reply with quote
if you have a usb port you can override the bad files
you will need a ext2 formated flash drive with the updated library files on it
you will need to mount it then bind the new libraries to the old libraries
Code:
mount --bind /path/to/oldLIB /path/to/newLIB

you will need to stop your openssl server while you run the bind commands
edit:
this seems to be necessary as ddwrt appears to not be vulnerable, at least build 23838
i used this script to check
http://pastebin.com/1HxgWpTN
put ips to scan in a scan.txt file and run the script in python

_________________
Router: Buffalo WZR-300HP w/ DD-WRT build #28444
kev_rm
DD-WRT Novice


Joined: 13 Jul 2013
Posts: 21

PostPosted: Sun Apr 13, 2014 10:32    Post subject: Reply with quote
evilkitty wrote:
if you have a usb port you can override the bad files
you will need a ext2 formated flash drive with the updated library files on it
you will need to mount it then bind the new libraries to the old libraries
Code:
mount --bind /path/to/oldLIB /path/to/newLIB

you will need to stop your openssl server while you run the bind commands
edit:
this seems to be necessary as ddwrt appears to not be vulnerable, at least build 23838
i used this script to check
http://pastebin.com/1HxgWpTN
put ips to scan in a scan.txt file and run the script in python


Wouldn't the libraries need to come from a new build with the patched libraries (which does not exist yet)
evilkitty
DD-WRT User


Joined: 12 Mar 2014
Posts: 167
Location: USA

PostPosted: Sun Apr 13, 2014 18:26    Post subject: Reply with quote
you could compile them from source
did you test to see if your router was vulnerable to heartbleed?

_________________
Router: Buffalo WZR-300HP w/ DD-WRT build #28444
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum