Results 1 to 10 of 10
  1. #1
    Untangler
    Join Date
    Oct 2009
    Posts
    47

    Default HEARTBLEED exploit OpenSSL

    So I searched the forum, didn't come up with a result. If there's a thread I missed, please delete this. Untangle seems to be one of the vulnerable platforms.

    http://heartbleed.com/
    http://www.reddit.com/r/programming/...eartbleed_bug/

    test your own servers:

    http://filippo.io/Heartbleed/

  2. #2
    Newbie
    Join Date
    Jan 2014
    Posts
    4

    Default

    Here's a post on the support site...NG Firewall products are not vulnerable.

    https://support.untangle.com/hc/en-u...cles/201956817
    Last edited by lgraves; 04-08-2014 at 07:22 AM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Both Untangle 9 and Untangle 10 run patched versions of OpenSSL 0.9.8, which aren't vulnerable to HeartBleed.

    Debian Wheezy is using a version of 1.0.1e, so if you have any debian servers exposed to the world you need to patch them, and give them a reboot (services need restarted to be fixed).

    As far as I can tell Ubuntu LTS isn't impacted, but I don't have a VM to confirm it directly.

    So no, Untangle because it's on old software gets a pass on this one. Newer != better
    johndball likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Quote Originally Posted by sky-knight View Post

    As far as I can tell Ubuntu LTS isn't impacted, but I don't have a VM to confirm it directly.
    It is. Updates are already in the repos.

  5. #5
    Untanglit
    Join Date
    Feb 2014
    Posts
    17

    Default

    Quote Originally Posted by lgraves View Post
    Here's a post on the support site...NG Firewall products are not vulnerable.

    https://support.untangle.com/hc/en-u...cles/201956817
    Any idea when the update to correct the OpenVPN installer for windows generated by the Untangle server will be released?

  6. #6
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,049

    Default

    Braveheart,

    This bug will fix the issue.
    http://bugzilla.untangle.com/show_bug.cgi?id=11782
    And it will be rls in 10.2

    For Already installed clients you can advice them to download the latest installer form OpenVPN.net or the Untangle-10-HeartBleed-fix.exe from here

    The thing to know is that there is no "real" threat to the client as the only one that can use the bug is the OpenVPN server and if a hacker has control of that he can just the traffic on the server side of the tunnel when the encryption is gone and read all in plane text instead of getting "random" 64k sections.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Heart Bleed CANNOT affect OpenVPN. Current exploits revolve around using the heart beat of an HTTPS session to get information that shouldn't be given. As far as I know, OpenVPN doesn't use OpenSSL for this sort of thing, and only uses it for the certificate generation itself.

    Now if you have OpenVPN Access Server, YES YOU NEED TO UPDATE. Because that's an apache web service running on OpenSSL and vulnerable. Untangle doesn't use Access Server.

    Again, as far as I can tell the actual VPN clients are "vulnerable" but not exploitable, so it doesn't matter. The paranoid will do what WebFool suggests and simply get the most recent client from OpenVPN.net and upgrade.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Sep 2008
    Posts
    41

    Default

    Quote Originally Posted by sky-knight View Post
    Heart Bleed CANNOT affect OpenVPN.

    Now if you have OpenVPN Access Server, YES YOU NEED TO UPDATE. Because that's an apache web service running on OpenSSL and vulnerable. Untangle doesn't use Access Server.

    Again, as far as I can tell the actual VPN clients are "vulnerable" but not exploitable, so it doesn't matter. The paranoid will do what WebFool suggests and simply get the most recent client from OpenVPN.net and upgrade.
    I can't say I understand all this but this link seams to indicate OpenVPN is exploitable. http://arstechnica.com/security/2014...uthentication/

    I have OpenVPN turned on my UT 10.1.0 server. My clients downloaded the open VPN client from UT and installed them about 5 months ago.
    Can someone indicate what specifically should be done to ensure OpenVPN is not exploited?

    Thanks

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by rbngan View Post
    Can someone indicate what specifically should be done to ensure OpenVPN is not exploited?
    Ensure that your Untangle server has not been compromised.

    If your Untangle server is compromised then it could, in theory, compromise your remote openvpn clients using heartbleed.
    In reality, you could pretty much do this anyway without heartbleed as the openvpn client runs with escalated privledges on the client and a lot of capabilties, but we mention it for full disclosure.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Yes, please read what Dirk posted and understand it. While the clients can indeed be exploited, it can only be done after a much larger exploit has been had.

    So it's the same as always... don't expose SSH so your Untangle server gets hacked. To my knowledge not a single Untangle server has ever been compromised without SSH enabled and open to the world with a weak password.

    Finally, if you have OpenVPN outside of Untangle, especially if you're running OpenVPN Access Server, THAT NEEDS PATCHED. The heart of access server is an easily exploitable Apache backed with OpenSSL. But again, this has nothing to do with Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2