From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3313A21F107 for ; Wed, 16 Apr 2014 11:10:12 -0700 (PDT) Received: by mail-wi0-f181.google.com with SMTP id hm4so1816010wib.2 for ; Wed, 16 Apr 2014 11:10:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=iCOHRcX0UmtfW5PkgGHt6vKMloISr0+kiBm10oOrtc0=; b=PmrCfgv08Dq2ZMvA+ir6IWZjNxrhBPpfzil9EbBEpcZ5yh8CrUphD7uhjf5gX/3Dqi 5QH4/mb2zK+SMiD0HNUjs2nrtwQSrmpL5UZdq0v4hhMRlLWQPCmtbJco/zrYRxx6Nb0H Zc5YmEXT3m4XoXECozl7TxYC85OERODtDq1HOzHfK4NEZMRMuaACsoM7CARllDLO8d3D qY483OmWKWhiY7MX9Si/j6q5lqQ2FBlU9uWwS27a8MaFzFlo0FOzQ0i2MruEATSU4Y/B qdPiODcsPoP3+URhcH70Ug4VXl5sHuhzpiFhkJbJxWuuA2SMV7nLvTB3JG6bscitpjHX qLeA== MIME-Version: 1.0 X-Received: by 10.194.88.230 with SMTP id bj6mr104228wjb.85.1397671810168; Wed, 16 Apr 2014 11:10:10 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Wed, 16 Apr 2014 11:10:10 -0700 (PDT) Date: Wed, 16 Apr 2014 11:10:10 -0700 Message-ID: Subject: Heartbleed: CeroWrt was vulnerable - so are many other devices From: Dave Taht To: bloat-announce@lists.bufferbloat.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: bloat-announce@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Low volume list for bufferbloat related announcements List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2014 18:10:12 -0000 Heartbleed Update In response to the heartbleed (CVE-2014-0160) vulnerability, on April 9th 2014 we updated the under-development CeroWrt release to include the fixed version of openssl. The fix is in CeroWrt 3.10.36-3 and later. We have no easy means of fixing the "stable" (3.7.5) release of CeroWrt, nor any of the innumerable development releases since then. Please upgrade to a fresh image. [1] Images are available in: http://snapon.lab.bufferbloat.net/~cero2/cerowrt/w= ndr/ In the base image, the administration gui of recent CeroWrt versions depended on openssl (however it is protected by firewall rules to only be accessible from within your own network), and several optional packages did also - stunnel - used for "secure" tunneling, and openvpn in particular= . To find out more about the bug go to http://heartbleed.com/ and/or see the relevant page on wikipedia: http://en.wikipedia.org/wiki/Heartbleed Heartbleed is one of the most serious bugs that has ever hit the internet, and in addition to web services, critical network daemons such as those that manage network printing, logging, monitoring, voip, chat, tunnels, vpns and email, can all potentially be exploited. We strongly advise resyncing your source trees with us and to distribute new firmware images containing the updated libraries. All network facing TLS-using daemons are potentially a risk, as are any TLS using services exposed behind the firewall (which you will need to fix as per their guidelines and OS) Once your system is secured again, you should re-issue certs and passwords, as per: https://www.eff.org/deeplinks/2014/04/bleeding-hearts-club-heartble= ed-recovery-system-administrators Packages maintained in the openwrt core repositories that can be affected when compiled for openssl[2] may include: libevent2, ustream-ssl, hostapd, openvpn, authsae, luci-ssl, and uhttpd. Optional network daemons in other repositories such as radsecproxy, vsftpd, squid, mini_httpd, pure-ftpd, cups, ndyndns, elinks, libtorrent, monit, nagios, syslog-ng3, boxbackup, rsyncrypto, curl, cyrus-sasl, openldap, icecast, fetchmail, dovecot, transmission, stunnel, httptunnel, apache, lighttpd, znc, net-snmp, bitlbee, asterisk, postfix and openvpn *all* use TLS level security, are often linked against openssl, and are thus potentially vulnerable. Please see the relevant website for each of the products above for news on their vulnerabilities. Much of the furor over heartbleed has focused on websites, where notably smtp and imaps and im traffic has also been shown vulnerable. https://zmap.io/heartbleed/ http://blog.freenode.net/2014/04/heartbleed/ Other home router and CPE distributions are also affected. One example among many: http://www.theguardian.com/technology/2014/apr/16/bt-heartbleed-home-hubs Network facing Applications built on top of php4, php5, python, luasec, erlang, ruby are also potentially affected. Packages maintained in the ceropackages repository that were potentially vulnerable are xorp, python-lafs, ccnx, and resiprocate. Please take this seriously and check your firmware and your products for usage of the vulnerable openssl versions. We note also that multiple other serious vulnerabilities have been fixed in other CeroWrt and OpenWrt packages and in the Linux kernel over the past years; you should consider fixing those vulnerabilities in your downstream products and routers while you are at it. We have long been supportive of adding new features for openwrt to make it more easily updated in the field, the work could use more eyeballs and developers, and we need to find resources and funding for a code audit in the coming months. Notes: [1] Regrettably in the present development branch (3.10.36-4) we are trying to isolate a wifi bug that crops up after much traffic, we will announce a fix for that when it arrives. See Bug #442 . [2] The base as-provided-by OpenWrt base binary installations are not vulnerable to HeartBleed, as neither the builtin SSH server nor the optional LuCI SSL support rely on OpenSSL for cryptographic TLS support. Their Attitude Adjustment release used cyassl as a base, and the underway Barrier Breaker development series uses PolarSSL for as many packages as support exists and the GPLv2 license allows. In other words the OpenSSL library is not installed within the stock base images available on the OpenWrt download servers, however they too contain many optional packages that do depend on openssl to function, and many downstream products may have chosen openssl for those products or as a base for all their packages. Check your trees and firmware! And if you are having a bad week, perhaps th= is will help: http://www.taht.net/~mtaht/uncle_bills_helicopter.html Stay calm and keep on patching! --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article