Author Topic: Heartbleed  (Read 3423 times)

0 Members and 1 Guest are viewing this topic.

cherry856

  • Guest
Heartbleed
« on: April 12, 2014, 01:56:25 PM »
Hi, if secureline is based on OpenVPN and OpenVPN is based on OpenSSL, is secureline vulnerable to the Heartbleed bug?

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7111
  • When you think you know, Think Again
Re: Heartbleed
« Reply #1 on: April 14, 2014, 05:42:41 PM »
Nah, Extremely unlikely.
I certainly am not concerning myself.  ;D
I use Secureline and PrivateTunnel and both are OpenVPN servers
***HP ENVY 15K LT W10 Pro 21H2 64Bit/250GB SSD/16GB Ram/ADU v.22.2b/VS/SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 21H2 64Bit/1TB HD/8GB Ram/ADU v.22.2b/VS/SANDBOXIE/HotSpot Shield
 Avast Mobile Security (Android)
LAYERED SECURITY SOFTWARE

cherry856

  • Guest
Re: Heartbleed
« Reply #2 on: April 15, 2014, 01:04:42 AM »
Can you provide further explanation for why you don't think its a likely problem? Have you seen the code?

cherry856

  • Guest
Re: Heartbleed
« Reply #3 on: April 15, 2014, 02:16:28 AM »
If you go to the OpenVPN website you will see a number of advisories.

For example, at (https://community.openvpn.net/openvpn/wiki/heartbleed) the OpenVPN people announced the following:
          "A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too. "

And they also said:
          "Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f"

At (http://docs.openvpn.net/important-security-notice-regarding-heartbleed-vulnerability/) the OpenVPN people announced that the following versions of OpenVPN are affected by Heartbleed:
          "The affected versions of Access Server are 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, and 2.0.5. "

What version of OpenVPN is Secureline running? Is it one of the affected versions? If so, has it been patched?

Please share the inside information that you have that makes you feel so confident that it is "extremely unlikely" that Heartbleed affects Secureline...

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7111
  • When you think you know, Think Again
Re: Heartbleed
« Reply #4 on: April 15, 2014, 05:36:56 PM »
I am not an IT tech
I don't read code per se.
MY statement was my opinion based on what I have done, and read on Security Forums on the internet for over 25years
Your questions are more appropriately directed towards the Avast developers.
I am just a user and student of Internet Security.
That's it. :)

Additional: http://forum.avast.com/index.php?topic=148993.0
« Last Edit: April 15, 2014, 05:41:12 PM by schmidthouse »
***HP ENVY 15K LT W10 Pro 21H2 64Bit/250GB SSD/16GB Ram/ADU v.22.2b/VS/SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 21H2 64Bit/1TB HD/8GB Ram/ADU v.22.2b/VS/SANDBOXIE/HotSpot Shield
 Avast Mobile Security (Android)
LAYERED SECURITY SOFTWARE

poutnik

  • Guest
Re: Heartbleed
« Reply #5 on: April 17, 2014, 10:46:23 PM »
Secunia Personal software inspector has identified OpenVPN of Avast as vulnerable.
vulnerable version 2.3.0.0., should be updated to 2.3.3

Related Secunia advisory
http://secunia.com/advisories/58062
OpenVPN OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities

OpenVPN has acknowledged two vulnerabilities in OpenVPN, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerabilities are caused due to a bundled vulnerable version of OpenSSL.
The vulnerabilities are reported in versions prior to 2.3.3-I001 running on Windows.

Solution:
Update to version 2.3.3-I002.

Original Advisory:
https://openvpn.net/index.php/download/community-downloads.html
« Last Edit: April 17, 2014, 10:51:27 PM by poutnik »