Avast WEBforum

Consumer Products => Avast SecureLine VPN => Avast SecureLine VPN for Windows => Topic started by: cherry856 on April 12, 2014, 01:56:25 PM

Title: Heartbleed
Post by: cherry856 on April 12, 2014, 01:56:25 PM
Hi, if secureline is based on OpenVPN and OpenVPN is based on OpenSSL, is secureline vulnerable to the Heartbleed bug?
Title: Re: Heartbleed
Post by: schmidthouse on April 14, 2014, 05:42:41 PM
Nah, Extremely unlikely.
I certainly am not concerning myself.  ;D
I use Secureline and PrivateTunnel and both are OpenVPN servers
Title: Re: Heartbleed
Post by: cherry856 on April 15, 2014, 01:04:42 AM
Can you provide further explanation for why you don't think its a likely problem? Have you seen the code?
Title: Re: Heartbleed
Post by: cherry856 on April 15, 2014, 02:16:28 AM
If you go to the OpenVPN website you will see a number of advisories.

For example, at (https://community.openvpn.net/openvpn/wiki/heartbleed) the OpenVPN people announced the following:
          "A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too. "

And they also said:
          "Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f"

At (http://docs.openvpn.net/important-security-notice-regarding-heartbleed-vulnerability/) the OpenVPN people announced that the following versions of OpenVPN are affected by Heartbleed:
          "The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. "

What version of OpenVPN is Secureline running? Is it one of the affected versions? If so, has it been patched?

Please share the inside information that you have that makes you feel so confident that it is "extremely unlikely" that Heartbleed affects Secureline...
Title: Re: Heartbleed
Post by: schmidthouse on April 15, 2014, 05:36:56 PM
I am not an IT tech
I don't read code per se.
MY statement was my opinion based on what I have done, and read on Security Forums on the internet for over 25years
Your questions are more appropriately directed towards the Avast developers.
I am just a user and student of Internet Security.
That's it. :)

Additional: http://forum.avast.com/index.php?topic=148993.0 (http://forum.avast.com/index.php?topic=148993.0)
Title: Re: Heartbleed
Post by: poutnik on April 17, 2014, 10:46:23 PM
Secunia Personal software inspector has identified OpenVPN of Avast as vulnerable.
vulnerable version, should be updated to 2.3.3

Related Secunia advisory
OpenVPN OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities

OpenVPN has acknowledged two vulnerabilities in OpenVPN, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL.
The vulnerabilities are reported in versions prior to 2.3.3-I001 running on Windows.

Update to version 2.3.3-I002.

Original Advisory: