Posted: Tue Apr 08, 2014 9:43 Post subject: OpenVPN affected by OpenSSL bug CVE-2014-016?
Hi,
This morning OpenSSL announced a serious bug which can expose (among others) private Cert keys and session keys (http://heartbleed.com/). Since OpenVPN uses OpenSSL: is dd-wrt vulnerable?
Posted: Tue Apr 08, 2014 12:59 Post subject: Re: OpenVPN affected by OpenSSL bug CVE-2014-016?
fnfspam wrote:
Hi,
This morning OpenSSL announced a serious bug which can expose (among others) private Cert keys and session keys (http://heartbleed.com/). Since OpenVPN uses OpenSSL: is dd-wrt vulnerable?
A quick look at the repository says all versions between ~19000 - 23882 are affected, previous releases should be fine, but they have other vulnerabilities.
What process could be exploited with heartbleed? ssh connections? Otherwise I have no https connections to my routers. I don't use OpenVPN.
On the internet folks say that it does not affect ssh.
As far as I know, it only affects the servers which run unpatched OpenSSL (but 0.9.x are unaffected). So, unless you run a server with vulnerable OpenSSL in it, there is nothing to fear. _________________ 2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).
Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.
2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng
However use of tls-auth can help mitigate this assuming you trust whoever has access to your tls-auth secret key. If your tls-auth key is compromised then this attack can be used.
of course this assumes you are using a tls-auth key.
if you aren't, this is probably a good time to roll a new key/cert pair and add a tls-auth key while you're at it
Would you happen to know if 18687 is impacted ?
Don't feel like upgrading if it isn't cause it's working just fine on my E4200.
edit: doesn't look like it is, cat | strings says "OpenSSL 0.9.8l 5 Nov 2009"
You can also check the SVN.
DD-WRT started using the vulnerable code on 2012/04/29. Any DD-WRT build after (and including) 19163 has the flaw, and any build after (and including) 23882 has the fix.
Considering this and other vulnerabilities, what DD-WRT versions should I have on my older routers including Buffalo WHR-G54-HP, WHR-G54S, and Linksys WRT-600N?
Joined: 06 Jun 2006 Posts: 6814 Location: Dresden, Germany
Posted: Fri Apr 11, 2014 10:03 Post subject:
https nor ssh is affected in all builds. https uses matrixssl and dropbear uses tomcrypt.
openssl is used for freeradius, openvpn, tor, asterisk
so if you have a small router with 4 mb flash, you arent affected since openssl is not even included. if you use a big router with openvpn, you might be affected if tls is used. next beta builds will fix that issue. _________________ one cigarette costs 2 minutes of your life.
one bottle of beer costs 4 minutes of your life.
one working day costs 8 hours of your life.
Yummee:
Linux DD-WRT 4.14.8 #42 SMP PREEMPT Thu Dec 21 18:11:16 CET 2017 armv7l DD-WRT
root@DD-WRT:/sys# nvram get DD_BOARD
Netgear R7800
