OpenVPN affected by OpenSSL bug CVE-2014-016?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4  Next
Author Message
FernSpider
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 3
Location: Dublin, Ireland

PostPosted: Fri Apr 11, 2014 19:59    Post subject: Reply with quote
PartisanEntity wrote:
How can I check which version of openssl is on my build of the firmware ?

Is there a command I can use ?

Or anywhere I can look it up ?

(I want to enable openvpn, that's why i would like to know)


I would also like to know the answer to this question.

Thanks in advance.

_________________
ASUS RT-N16 (x6) DD-WRT V24-SP2 Mega (14929)
ASUS RT-N16 (x1) DD-WRT V24-SP2 Mega (19519)
WRT54G-TM (x2) DD-WRT V24-SP2 Mega (13064)
Sponsor
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Fri Apr 11, 2014 20:07    Post subject: What about Peacock thread and beta releases Reply with quote
Am I missing something or does this say the only way to fix OpenVPN on all the old boxes is to install a beta build on them, which probably means 1) they won't work any more or 2) OpvenVPN implementation has changed so much it will take a steep learning curve and a lot of experimentation for the slightly-educated to re-configure them?

The Peacock thread (sp) warns (and rightly so about) upgrading any of these old boxes to the newest beta firmware. I have tried upgrading enough to know to just leave well enough alone.

I have OpenVPN server on WRT54G 14896 and the same on an Asus 500gPV2 running 14896 . Every post I read says do not update these boxes past this firmware level. Guess this means I need to shut my OpenVPN network down?
PartisanEntity
DD-WRT Novice


Joined: 24 Dec 2008
Posts: 11

PostPosted: Fri Apr 11, 2014 20:14    Post subject: Re: What about Peacock thread and beta releases Reply with quote
donphillipe wrote:
Am I missing something or does this say the only way to fix OpenVPN on all the old boxes is to install a beta build on them, which probably means 1) they won't work any more or 2) OpvenVPN implementation has changed so much it will take a steep learning curve and a lot of experimentation for the slightly-educated to re-configure them?

The Peacock thread (sp) warns (and rightly so about) upgrading any of these old boxes to the newest beta firmware. I have tried upgrading enough to know to just leave well enough alone.

I have OpenVPN server on WRT54G 14896 and the same on an Asus 500gPV2 running 14896 . Every post I read says do not update these boxes past this firmware level. Guess this means I need to shut my OpenVPN network down?


I have a very similar worry, and up until had a working openvpn, albeit with an old/ancient version of DD-WRT.

Unfortunately there is nothing clear about what users of these routers should/can do to:

keep openvpn + not be vulnerable to heartbleed
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Fri Apr 11, 2014 20:36    Post subject: Reply with quote
Only thing that seems logical is to take the Peacock thread suggestions for the most popular router models and publish an update to those stable builds, such as taking 14896 and creating a 14896h version?
Gonzo_WRTer
DD-WRT Novice


Joined: 20 Feb 2014
Posts: 29

PostPosted: Fri Apr 11, 2014 22:49    Post subject: Reply with quote
donphillipe wrote:
Only thing that seems logical is to take the Peacock thread suggestions for the most popular router models and publish an update to those stable builds, such as taking 14896 and creating a 14896h version?


Kong's got a poll up in Broadcom about re-rolling a k26 build with the SSL fix. I'm supporting the effort... and he's a total hero for considering it.

This is an unprecedented problem for those of us well well configured hardware and who probably oughtn't mess with the newest betas.

Just be aware that the example above is a non-issue. From another thread on HeartBleed, that talks about when the flawed OPENSSL came into the DD-WRT world:

""Any DD-WRT build before 19163 is safe, and any build after 23882 is also safe.""

(I think any KONG build before 19200 is also safe based on the changelog, but some of the coolest adds came later in his cycle and, alas, after the SSL bug was introduced).
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 293

PostPosted: Fri Apr 11, 2014 23:05    Post subject: Reply with quote
quoting, because.. some people..

code65536 wrote:
DD-WRT started using the vulnerable code on 2012/04/29. Any DD-WRT build before 19163 is safe, and any build after 23882 is also safe.


if you have an older router, it might support an older firmware version which is not affected. otherwise, wait...

and here is kong's thread, although i use BS' build: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=260282
rizla7
DD-WRT User


Joined: 11 May 2012
Posts: 293

PostPosted: Fri Apr 11, 2014 23:31    Post subject: Reply with quote
although, this sort of raises the issue that all openvpn build in the router database between 19163 and 23882 should probably be removed.
mocream
DD-WRT Novice


Joined: 12 Apr 2014
Posts: 1

PostPosted: Sat Apr 12, 2014 3:08    Post subject: Reply with quote
Is it possible to patch my D-Link DIR-825 rev b?
Wetzel
DD-WRT Novice


Joined: 12 Apr 2014
Posts: 49

PostPosted: Sat Apr 12, 2014 18:33    Post subject: Reply with quote
BrainSlayer wrote:
https nor ssh is affected in all builds. https uses matrixssl and dropbear uses tomcrypt.

openssl is used for freeradius, openvpn, tor, asterisk

so if you have a small router with 4 mb flash, you arent affected since openssl is not even included. if you use a big router with openvpn, you might be affected if tls is used. next beta builds will fix that issue.


Interesting. Well, thats just it, i use a WRT54GL running build 22118 from July of last year. Obviously this is vulnerable, but from what you said of 4mb flash, i felt a bit better about it. However, i use the VPN version of that build, which of course, has OpenVPN which i make use of daily.

Here is a snippet:

Serverlog Clientlog 20140413 06:01:44 I OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2013

So umm...yea, somehow i feel im vulnerable, as its showing usage of OpenSSL. I assume you meant 4mb flashes WITHOUT OpenVPN (aka, VPN builds), and just standard and others that werent affected. Was just wondering if you can confirm whether im right or wrong here, thanks!
iVitor
DD-WRT User


Joined: 10 Jul 2009
Posts: 92

PostPosted: Sat Apr 12, 2014 18:43    Post subject: Reply with quote
Just for the sake of clarity, as far as I can understand, only the services/processes that actually use OpenSSL are vulnerable to this -- just because a build comes with OpenSSL it does not instantly make the whole firmware vulnerable, it only is vulnerable if you are actually running one of the processes which uses the flawed OpenSSL lib.
Wetzel
DD-WRT Novice


Joined: 12 Apr 2014
Posts: 49

PostPosted: Sat Apr 12, 2014 18:52    Post subject: Reply with quote
iVitor wrote:
Just for the sake of clarity, as far as I can understand, only the services/processes that actually use OpenSSL are vulnerable to this -- just because a build comes with OpenSSL it does not instantly make the whole firmware vulnerable, it only is vulnerable if you are actually running one of the processes which uses the flawed OpenSSL lib.


Yea, exactly. That is the whole crux of my previous post there, because im uncertain what Brainslayer meant. The VPN build i use is less than 4mb, and i use an 'older' router, but i use OpenVPN, hence the VPN build, and the log clearly shows OpenSSL is being loaded/used. So...as you say, a 'process' is apparently using the library, that process being, OpenVPN. So...that said, is it safe to say that im basically screwed here and vulnerable?

Also, any idea on the ETA for fixed/new builds?

Oh and how does one get himself infected with this crap? Im guessing its whoever happens to have the skills to inject the bug into any particular network, or just pull encrypted datastreams to storage, and then they unlock it all with the HeartBleed exploit?

No doubt in my mind this the TAO malware, tripwire, network implanter, cyberwar division of the NSA/GCHQ, btw, same ones who brought us Stuxnet and Flame Rolling Eyes Its obvious they know everyone is jumping to encrypted systems and so their goal now is to unlock and reverse it as much as they can. No way in hell im gonna buy the 'genius kid in his basement', as the creator of this.
jselormey
DD-WRT Novice


Joined: 13 Apr 2014
Posts: 1

PostPosted: Sun Apr 13, 2014 21:25    Post subject: Reply with quote
Hi,
I'm using a Linksys E3200 router with dd-wrt.v24-23720_NEWD-2_K2.6_mini-e3200

Am I affected by the heartbleed bug?
JNavas
DD-WRT User


Joined: 16 May 2010
Posts: 130
Location: San Francisco Bay Area

PostPosted: Mon Apr 14, 2014 16:28    Post subject: Reply with quote
rizla7 wrote:
although, this sort of raises the issue that all openvpn build in the router database between 19163 and 23882 should probably be removed.


Everything with HeartBleed should DEFINITELY be removed IMMEDIATELY!
Only Mini builds should be considered safe.

_________________
Hope that helps,
John
DD-WRT 21676 K26 Mini, Kong 22000++, Kong 25015-SP1, and 26138


Last edited by JNavas on Mon Apr 14, 2014 17:41; edited 3 times in total
JNavas
DD-WRT User


Joined: 16 May 2010
Posts: 130
Location: San Francisco Bay Area

PostPosted: Mon Apr 14, 2014 16:39    Post subject: Reply with quote
jselormey wrote:
Hi,
I'm using a Linksys E3200 router with dd-wrt.v24-23720_NEWD-2_K2.6_mini-e3200
Am I affected by the heartbleed bug?

Did you not READ THE WHOLE THREAD?
Quote:
Any DD-WRT build after (and including) 19163 has the flaw, and any build after (and including) 23882 has the fix.

So YES YOU ARE AFFECTED!

CORRECTION: Since you are running Mini, you should not be affected. Apology.

_________________
Hope that helps,
John
DD-WRT 21676 K26 Mini, Kong 22000++, Kong 25015-SP1, and 26138


Last edited by JNavas on Mon Apr 14, 2014 18:33; edited 1 time in total
Wetzel
DD-WRT Novice


Joined: 12 Apr 2014
Posts: 49

PostPosted: Mon Apr 14, 2014 18:23    Post subject: Reply with quote
JNavas wrote:
...and any build after (and including) 23882 has the fix.


Where is this 23882 build, because the ftp link with all the builds from Eko/BS show nothing new since 3-30-14 (23838). Would you (or anyone else) be so kind as to point me to it? Much thx in advance.
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum