HEARTBLEED exploit OpenSSL

[jrodder]

So I searched the forum, didn't come up with a result. If there's a thread I missed, please delete this. Untangle seems to be one of the vulnerable platforms.

http://heartbleed.com/
http://www.reddit.com/r/programming/...eartbleed_bug/

test your own servers:

http://filippo.io/Heartbleed/

[lgraves]

Here's a post on the support site...NG Firewall products are not vulnerable.

https://support.untangle.com/hc/en-u...cles/201956817

[sky-knight]

Both Untangle 9 and Untangle 10 run patched versions of OpenSSL 0.9.8, which aren't vulnerable to HeartBleed.

Debian Wheezy is using a version of 1.0.1e, so if you have any debian servers exposed to the world you need to patch them, and give them a reboot (services need restarted to be fixed).

As far as I can tell Ubuntu LTS isn't impacted, but I don't have a VM to confirm it directly.

So no, Untangle because it's on old software gets a pass on this one. Newer != better

[fasttech]

As far as I can tell Ubuntu LTS isn't impacted, but I don't have a VM to confirm it directly.

It is. Updates are already in the repos.

[Braveheart]

Here's a post on the support site...NG Firewall products are not vulnerable.

https://support.untangle.com/hc/en-u...cles/201956817

Any idea when the update to correct the OpenVPN installer for windows generated by the Untangle server will be released?

[WebFooL]

Braveheart,

This bug will fix the issue.
http://bugzilla.untangle.com/show_bug.cgi?id=11782
And it will be rls in 10.2

For Already installed clients you can advice them to download the latest installer form OpenVPN.net or the Untangle-10-HeartBleed-fix.exe from here

The thing to know is that there is no "real" threat to the client as the only one that can use the bug is the OpenVPN server and if a hacker has control of that he can just the traffic on the server side of the tunnel when the encryption is gone and read all in plane text instead of getting "random" 64k sections.

[sky-knight]

Heart Bleed CANNOT affect OpenVPN. Current exploits revolve around using the heart beat of an HTTPS session to get information that shouldn't be given. As far as I know, OpenVPN doesn't use OpenSSL for this sort of thing, and only uses it for the certificate generation itself.

Now if you have OpenVPN Access Server, YES YOU NEED TO UPDATE. Because that's an apache web service running on OpenSSL and vulnerable. Untangle doesn't use Access Server.

Again, as far as I can tell the actual VPN clients are "vulnerable" but not exploitable, so it doesn't matter. The paranoid will do what WebFool suggests and simply get the most recent client from OpenVPN.net and upgrade.

[rbngan]

Heart Bleed CANNOT affect OpenVPN.

Now if you have OpenVPN Access Server, YES YOU NEED TO UPDATE. Because that's an apache web service running on OpenSSL and vulnerable. Untangle doesn't use Access Server.

Again, as far as I can tell the actual VPN clients are "vulnerable" but not exploitable, so it doesn't matter. The paranoid will do what WebFool suggests and simply get the most recent client from OpenVPN.net and upgrade.

I can't say I understand all this but this link seams to indicate OpenVPN is exploitable. http://arstechnica.com/security/2014...uthentication/

I have OpenVPN turned on my UT 10.1.0 server. My clients downloaded the open VPN client from UT and installed them about 5 months ago.
Can someone indicate what specifically should be done to ensure OpenVPN is not exploited?

Thanks

[dmorris]

Can someone indicate what specifically should be done to ensure OpenVPN is not exploited?

Ensure that your Untangle server has not been compromised.

If your Untangle server is compromised then it could, in theory, compromise your remote openvpn clients using heartbleed.
In reality, you could pretty much do this anyway without heartbleed as the openvpn client runs with escalated privledges on the client and a lot of capabilties, but we mention it for full disclosure.

[sky-knight]

Yes, please read what Dirk posted and understand it. While the clients can indeed be exploited, it can only be done after a much larger exploit has been had.

So it's the same as always... don't expose SSH so your Untangle server gets hacked. To my knowledge not a single Untangle server has ever been compromised without SSH enabled and open to the world with a weak password.

Finally, if you have OpenVPN outside of Untangle, especially if you're running OpenVPN Access Server, THAT NEEDS PATCHED. The heart of access server is an easily exploitable Apache backed with OpenSSL. But again, this has nothing to do with Untangle.