« previous next »
Pages: [1]   Go Down

Author Topic: Heartbleed  (Read 4036 times)

0 Members and 1 Guest are viewing this topic.

cherry856

  • Guest
Heartbleed
« on: April 12, 2014, 01:56:25 PM »
Hi, if secureline is based on OpenVPN and OpenVPN is based on OpenSSL, is secureline vulnerable to the Heartbleed bug?
Logged

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7170
  • When you think you know, Think Again
Re: Heartbleed
« Reply #1 on: April 14, 2014, 05:42:41 PM »
Nah, Extremely unlikely.
I certainly am not concerning myself.  ;D
I use Secureline and PrivateTunnel and both are OpenVPN servers
Logged

cherry856

  • Guest
Re: Heartbleed
« Reply #2 on: April 15, 2014, 01:04:42 AM »
Can you provide further explanation for why you don't think its a likely problem? Have you seen the code?
Logged

cherry856

  • Guest
Re: Heartbleed
« Reply #3 on: April 15, 2014, 02:16:28 AM »
If you go to the OpenVPN website you will see a number of advisories.

For example, at (https://community.openvpn.net/openvpn/wiki/heartbleed) the OpenVPN people announced the following:
          "A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too. "

And they also said:
          "Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f"

At (http://docs.openvpn.net/important-security-notice-regarding-heartbleed-vulnerability/) the OpenVPN people announced that the following versions of OpenVPN are affected by Heartbleed:
          "The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. "

What version of OpenVPN is Secureline running? Is it one of the affected versions? If so, has it been patched?

Please share the inside information that you have that makes you feel so confident that it is "extremely unlikely" that Heartbleed affects Secureline...
Logged

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7170
  • When you think you know, Think Again
Re: Heartbleed
« Reply #4 on: April 15, 2014, 05:36:56 PM »
I am not an IT tech
I don't read code per se.
MY statement was my opinion based on what I have done, and read on Security Forums on the internet for over 25years
Your questions are more appropriately directed towards the Avast developers.
I am just a user and student of Internet Security.
That's it. :)

Additional: http://forum.avast.com/index.php?topic=148993.0
« Last Edit: April 15, 2014, 05:41:12 PM by schmidthouse »
Logged

poutnik

  • Guest
Re: Heartbleed
« Reply #5 on: April 17, 2014, 10:46:23 PM »
Secunia Personal software inspector has identified OpenVPN of Avast as vulnerable.
vulnerable version 2.3.0.0., should be updated to 2.3.3

Related Secunia advisory
http://secunia.com/advisories/58062
OpenVPN OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities

OpenVPN has acknowledged two vulnerabilities in OpenVPN, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL.
The vulnerabilities are reported in versions prior to 2.3.3-I001 running on Windows.

Solution:
Update to version 2.3.3-I002.

Original Advisory:
https://openvpn.net/index.php/download/community-downloads.html
« Last Edit: April 17, 2014, 10:51:27 PM by poutnik »
Logged
Pages: [1]   Go Up
« previous next »