Avast WEBforum
Consumer Products => Avast SecureLine VPN => Avast SecureLine VPN for Windows => Topic started by: cherry856 on April 12, 2014, 01:56:25 PM
-
Hi, if secureline is based on OpenVPN and OpenVPN is based on OpenSSL, is secureline vulnerable to the Heartbleed bug?
-
Nah, Extremely unlikely.
I certainly am not concerning myself. ;D
I use Secureline and PrivateTunnel and both are OpenVPN servers
-
Can you provide further explanation for why you don't think its a likely problem? Have you seen the code?
-
If you go to the OpenVPN website you will see a number of advisories.
For example, at (https://community.openvpn.net/openvpn/wiki/heartbleed) the OpenVPN people announced the following:
"A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too. "
And they also said:
"Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f"
At (http://docs.openvpn.net/important-security-notice-regarding-heartbleed-vulnerability/) the OpenVPN people announced that the following versions of OpenVPN are affected by Heartbleed:
"The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. "
What version of OpenVPN is Secureline running? Is it one of the affected versions? If so, has it been patched?
Please share the inside information that you have that makes you feel so confident that it is "extremely unlikely" that Heartbleed affects Secureline...
-
I am not an IT tech
I don't read code per se.
MY statement was my opinion based on what I have done, and read on Security Forums on the internet for over 25years
Your questions are more appropriately directed towards the Avast developers.
I am just a user and student of Internet Security.
That's it. :)
Additional: http://forum.avast.com/index.php?topic=148993.0 (http://forum.avast.com/index.php?topic=148993.0)
-
Secunia Personal software inspector has identified OpenVPN of Avast as vulnerable.
vulnerable version 2.3.0.0., should be updated to 2.3.3
Related Secunia advisory
http://secunia.com/advisories/58062
OpenVPN OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities
OpenVPN has acknowledged two vulnerabilities in OpenVPN, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL.
The vulnerabilities are reported in versions prior to 2.3.3-I001 running on Windows.
Solution:
Update to version 2.3.3-I002.
Original Advisory:
https://openvpn.net/index.php/download/community-downloads.html