OpenVPN affected by OpenSSL bug CVE-2014-016?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4  Next
Author Message
fnfspam
DD-WRT Novice


Joined: 21 Jan 2014
Posts: 7

PostPosted: Tue Apr 08, 2014 9:43    Post subject: OpenVPN affected by OpenSSL bug CVE-2014-016? Reply with quote
Hi,

This morning OpenSSL announced a serious bug which can expose (among others) private Cert keys and session keys (http://heartbleed.com/). Since OpenVPN uses OpenSSL: is dd-wrt vulnerable?
Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 2139
Location: Germany

PostPosted: Tue Apr 08, 2014 12:59    Post subject: Re: OpenVPN affected by OpenSSL bug CVE-2014-016? Reply with quote
fnfspam wrote:
Hi,

This morning OpenSSL announced a serious bug which can expose (among others) private Cert keys and session keys (http://heartbleed.com/). Since OpenVPN uses OpenSSL: is dd-wrt vulnerable?


A quick look at the repository says all versions between ~19000 - 23882 are affected, previous releases should be fine, but they have other vulnerabilities.

For latest arm based units I already uploaded new builds. I'm sure BS will soon release new builds as well.
dynek
DD-WRT User


Joined: 19 Oct 2006
Posts: 131

PostPosted: Wed Apr 09, 2014 18:33    Post subject: Reply with quote
Would you happen to know if 18687 is impacted ?
Don't feel like upgrading if it isn't cause it's working just fine on my E4200.

edit: doesn't look like it is, cat | strings says "OpenSSL 0.9.8l 5 Nov 2009"
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1256
Location: Zwolle

PostPosted: Wed Apr 09, 2014 19:33    Post subject: Reply with quote
What process could be exploited with heartbleed? ssh connections? Otherwise I have no https connections to my routers. I don't use OpenVPN.

On the internet folks say that it does not affect ssh.

As far as I know, it only affects the servers which run unpatched OpenSSL (but 0.9.x are unaffected). So, unless you run a server with vulnerable OpenSSL in it, there is nothing to fear.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


wangmaster
DD-WRT Novice


Joined: 10 May 2011
Posts: 9

PostPosted: Thu Apr 10, 2014 0:25    Post subject: Reply with quote
http://community.openvpn.net/openvpn/wiki/heartbleed

Yes, openvpn is impacted by this.

However use of tls-auth can help mitigate this assuming you trust whoever has access to your tls-auth secret key. If your tls-auth key is compromised then this attack can be used.

of course this assumes you are using a tls-auth key.
if you aren't, this is probably a good time to roll a new key/cert pair and add a tls-auth key while you're at it Smile
code65536
DD-WRT User


Joined: 28 Dec 2011
Posts: 92
Location: .us

PostPosted: Thu Apr 10, 2014 0:46    Post subject: Reply with quote
dynek wrote:
Would you happen to know if 18687 is impacted ?
Don't feel like upgrading if it isn't cause it's working just fine on my E4200.

edit: doesn't look like it is, cat | strings says "OpenSSL 0.9.8l 5 Nov 2009"

You can also check the SVN.

DD-WRT started using the vulnerable code on 2012/04/29. Any DD-WRT build after (and including) 19163 has the flaw, and any build after (and including) 23882 has the fix.
tkoyn
DD-WRT User


Joined: 11 Feb 2007
Posts: 402

PostPosted: Thu Apr 10, 2014 7:04    Post subject: Reply with quote
Considering this and other vulnerabilities, what DD-WRT versions should I have on my older routers including Buffalo WHR-G54-HP, WHR-G54S, and Linksys WRT-600N?
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17485
Location: Hesse/Germany

PostPosted: Thu Apr 10, 2014 20:38    Post subject: Reply with quote
http://svn.dd-wrt.com/changeset/23882
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
PartisanEntity
DD-WRT Novice


Joined: 24 Dec 2008
Posts: 11

PostPosted: Fri Apr 11, 2014 8:51    Post subject: Reply with quote
Sorry newbie question: which version should I install on my WRT54GL?

The router database on dd-wrt.com lists the following latest BETA version: v24 preSP2 [BETA] Build 14896?

Also, how come no new recent stable releases since the last one? (Sorry if the answer is obvious).
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 6109
Location: Dresden, Germany

PostPosted: Fri Apr 11, 2014 10:03    Post subject: Reply with quote
https nor ssh is affected in all builds. https uses matrixssl and dropbear uses tomcrypt.

openssl is used for freeradius, openvpn, tor, asterisk

so if you have a small router with 4 mb flash, you arent affected since openssl is not even included. if you use a big router with openvpn, you might be affected if tls is used. next beta builds will fix that issue.

_________________
one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.

DD-WRT supported Concerts @ Bunker Dresden
03.10.2014 - Front 242 / Haujobb / Planet Myer Day
gmnenad
DD-WRT Novice


Joined: 17 Apr 2011
Posts: 6

PostPosted: Fri Apr 11, 2014 11:12    Post subject: VPN with PPTP? Reply with quote
I assume that PPTP VPN server is not affected with OpenSSL bug?
syscon
DD-WRT Novice


Joined: 30 Mar 2010
Posts: 28

PostPosted: Fri Apr 11, 2014 12:34    Post subject: Reply with quote
I have a Firmware: DD-WRT v24-sp2 (08/12/10) mini
How to find out if it is effected or not?
Where is the build version number?
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 224

PostPosted: Fri Apr 11, 2014 13:29    Post subject: Reply with quote
syscon wrote:
How to find out if it is effected or not?


if you are not using/don't know what these are then you are not affected:

BrainSlayer wrote:
openssl is used for freeradius, openvpn, tor, asterisk


BrainSlayer wrote:
next beta builds will fix that issue.


when next build BS? approx eta?
syscon
DD-WRT Novice


Joined: 30 Mar 2010
Posts: 28

PostPosted: Fri Apr 11, 2014 15:10    Post subject: Reply with quote
rizla7 wrote:
syscon wrote:
How to find out if it is effected or not?


if you are not using/don't know what these are then you are not affected:

BrainSlayer wrote:
openssl is used for freeradius, openvpn, tor, asterisk


BrainSlayer wrote:
next beta builds will fix that issue.


when next build BS? approx eta?


I'm using openvpn-2.3.2 (compiled with lzo pam plugins ssl)
and dev-libs/openssl-0.9.8y

so I don't think I'm effected.
PartisanEntity
DD-WRT Novice


Joined: 24 Dec 2008
Posts: 11

PostPosted: Fri Apr 11, 2014 19:32    Post subject: Reply with quote
How can I check which version of openssl is on my build of the firmware ?

Is there a command I can use ?

Or anywhere I can look it up ?

(I want to enable openvpn, that's why i would like to know)
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum