Heartbleed & DD-WRT/DD-WRT Online Services

The Heartbleed vulnerability in discovered in OpenSSL 1.0.1 - 1.0.1f is one of the most serious matters in encrypted data communication during the last years. First of all we can ensure you that the encrypted web services like the DD-WRT Online Shop and the Activation center never have been affected because the OpenSSL version we are using does not contain the vulnerability.

Currently the main focus of the Heartbleed discussion lies on web servers using SSL/TLS but other services on Linux systems are also using OpenSSL. By default none of these services is enabled in DD-WRT - nevertheless it is important that you check your  router settings to find out if you might be affected by Heartbleed.

The Heartbleed vulnerability allows an attacker to read random 64k blocks of memory of the service using OpenSSL (with TLS). Since every request delivers another 64k memory block an attacker could retrieve sensitive data from the service i.e. private keys. More detailed information about Heartbleed can be found in the security advisory:

http://www.kb.cert.org/vuls/id/720951

and here:

English: http://www.infoq.com/news/2014/04/heartbleed-ssl
German: http://www.golem.de/news/openssl-wichtige-fragen-und-antworten-zu-heartbleed-1404-105740.html

In DD-WRT itself the following services are using OpenSSL with TLS:

  • openvpn
  • squid
  • freeradius
  • asterisk
  • curl
  • pound
  • tor
  • transmission

OpenSSL was updated immediately in the DD-WRT SVN repository. It can take a view days until we can provide updated versions for all routers. User running critical applications can contact us via the info mail form - but please check first if your setup is really affected by Heartbleed.

We will update this information when new information becomes available.

Latest DD-WRT Releases

To obtain the matching version for your router please use the Router Database:

Router-Database