'Heartbleed' vulnerability and OpenSSL in Asuswrt-Merlin

[bgvaughan]

I've just been reading about the bug in OpenSSL, CVE-2014-0160, present in OpenSSL versions 1.01 - 1.01f. If I understand correctly, OpenSSL is used in OpenVPN, and I would guess it would be used in generating certificates for HTTPS access to the router administration page. I don't know what version is used in the current or past versions of Asuswrt-Merlin. Is it vulnerable? If so, can this be patched?

Some articles on the 'Heartbleed' vulnerability:

• The Heartbleed Bug
• Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
• existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
• OpenSSL bug CVE-2014-0160

 

[Adamm]

I've just been reading about the bug in OpenSSL, CVE-2014-0160, present in OpenSSL versions 1.01 - 1.01f. If I understand correctly, OpenSSL is used in OpenVPN, and I would guess it would be used in generating certificates for HTTPS access to the router administration page. I don't know what version is used in the current or past versions of Asuswrt-Merlin. Is it vulnerable? If so, can this be patched?

Some articles on the 'Heartbleed' vulnerability:

• The Heartbleed Bug
• Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
• existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
• OpenSSL bug CVE-2014-0160

Was discussed on IRC, shouldn't affect this router as we are running the 1.0.0i branch

11:20 < Guardian452> the optware openssl package is 1.02 Iirc
11:22 < saintdev> merlin is running 1.0.0i, asus just upgraded from 1.0.0b to 1.0.0d in their 4887 release
11:23 < Guardian452> patch is in 1.0.0g+ I think
11:23 < silentfury> the 1.0.0 branch isnt vulnerable
11:24 < saintdev> "Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1."
11:24 < saintdev> and 1.0.2-beta1 is the latest available

 

[netware5]

Was discussed on IRC, shouldn't affect this router as we are running the 1.0.0i branch

Yes, definitely the Merlin's openssl package is not vulnerable. On my router it is 1.0.0.j. But see THIS THREAD. As you can see I've asked question about windows OpenVPN client, but the answer is that OpenSSL library is statically linked within the OpenVPN binary at compile time. In particular for OpenVPN 2.3.2 it is OpenSSL 1.0.1e, which is vulnerable. So the important question for us is "Which OpenSSL version is used within the Merlin's OpenVPN binary?" or may be Merlin's OpenVPN 2.3.2 implementation does not include the OpenSSL library within the binary and uses the system's OpenSSL library, which is 1.0.0j?

Merlin, would you be so kind to clarify these issues?

 

[RMerlin]

Yes, definitely the Merlin's openssl package is not vulnerable. On my router it is 1.0.0.j. But see THIS THREAD. As you can see I've asked question about windows OpenVPN client, but the answer is that OpenSSL library is statically linked within the OpenVPN binary at compile time. In particular for OpenVPN 2.3.2 it is OpenSSL 1.0.1e, which is vulnerable. So the important question for us is "Which OpenSSL version is used within the Merlin's OpenVPN binary?" or may be Merlin's OpenVPN 2.3.2 implementation does not include the OpenSSL library within the binary and uses the system's OpenSSL library, which is 1.0.0j?

Merlin, would you be so kind to clarify these issues?

The server running on the router is dynamically linked with the openssl library that ships with the router firmware. It's compiled at the same time as the rest of the firmware, it's not a precompiled package.

Windows client is a particular case, because Windows does not (for obvious reasons) come with a copy of Openssl. So the OpenVPN packager are statically linking it into the Win32 client.

I don't know if clients are vulnerable/exploitable however, or if it's a server-only issue. That is something you should ask the OpenVPN maintainers.

 

[netware5]

The server running on the router is dynamically linked with the openssl library that ships with the router firmware. It's compiled at the same time as the rest of the firmware, it's not a precompiled package.

Windows client is a particular case, because Windows does not (for obvious reasons) come with a copy of Openssl. So the OpenVPN packager are statically linking it into the Win32 client.

I don't know if clients are vulnerable/exploitable however, or if it's a server-only issue. That is something you should ask the OpenVPN maintainers.

Thank you Merlin! Now the things are much clearer. As the server running on the router is dynamically linked with the openssl library that ships with the router firmware, the OpenVPN server included in your firmware is not vulnerable. The answer I received in OpenVPN forum is that the W32 client is statically linked to 1.0.1 OpenSSL library which mean that it is vulnerable. And yes, the clients are also vulnerable. Thank you again, least I am sure now that my home OpenVPN server is OK.

 

[netware5]

Just to add some useful information from the OpenVPN developers team:

The OpenVPN dev team is aware of CVE-2014-0160/Heartbleed and is actively working on a fix. First off, we have released a new Windows build, available immediately, which uses OpenSSL 1.0.1g, which is safe. Additionally, on Thursday, April 10, we will be releasing OpenVPN 2.3.3, with a number of fixes/enhancements.

Primarly, 2.3.3 passes the IV_GUI_VER environment variable which identifies the version of OpenVPN being used. A server-side script can be used to deny access to users utilizing a vulnerable version of OpenVPN/OpenSSL.

OpenSSL < 1.0.1 or >= 1.0.1g or PolarSSL are NOT vulnerable to the heartbeat attack. Client/server connections that utilize TLS auth, and the keys have been kept secure, are also safe, as they prevent a needed MITM attack needed to compromise the connection.

The full thread is HERE

 

[amigohd]

if the merlin firmware is using a 1.0.0 version of openssl, why I get:

admin@router:/tmp/home/root# opkg list-installed | grep ssl
libopenssl - 1.0.1e-2

on my N66U with 3.0.0.4.374.35_4 (Merlin build)?

 

[netware5]

if the merlin firmware is using a 1.0.0 version of openssl, why I get:

admin@router:/tmp/home/root# opkg list-installed | grep ssl
libopenssl - 1.0.1e-2

on my N66U with 3.0.0.4.374.35_4 (Merlin build)?

This is the OpenSSL package included in Entware. It is different from the OpenSSL included in the firmware itself. To see what version is the FW's OpenSSL type "openssl version" in command line.

 

[amigohd]

This is the OpenSSL package included in Entware. It is different from the OpenSSL included in the firmware itself. To see what version is the FW's OpenSSL type "openssl version" in command line.

thank you. all fine then

 

[Jocini]

Hello,

I am new here, but I can't find an anwser for my problem. I have OPENVPN running on an Asus RT-AC66U with firmwareversion 3.0.0.4.374_4561 and the OPENVPN app on IOS.

I can't find anywhere which version off Openssl I am using.

Does anyone know if i am vulnerable for the heartbleed bug.

Is there anyway for me to find out which version I am running on my Asus and how this works in combination with my app for IOS (is this still safe)?

I hope someone can help me.

Thanks in advance.

 

[netware5]

Hello,

I am new here, but I can't find an anwser for my problem. I have OPENVPN running on an Asus RT-AC66U with firmwareversion 3.0.0.4.374_4561 and the OPENVPN app on IOS.

I can't find anywhere which version off Openssl I am using.

Does anyone know if i am vulnerable for the heartbleed bug.

Is there anyway for me to find out which version I am running on my Asus and how this works in combination with my app for IOS (is this still safe)?

I hope someone can help me.

Thanks in advance.

Most probably your Asus router is not vulnerable - see the postings above. But if you want to check the OpenSSL version included in the router's FW, just type "openssl version" in command line of your router. Any result below 1.0.1 is fine.

I have no experience with IOS and don't know how to do version check under IOS.

 

[Jocini]

Thanks for your reply. My router is currently running 1.0.0b so it is nog effected bij the bug.

So that is a relieve.

I only have to find out what type of openssl the openvpn app uses.

Thanks again.

 

[cyborgpunte]

isn't that stated when you press about

 

[Jocini]

No,
in the about it only states which version of Openvpn it is. It does not state which version of openssl it uses unfortunatly.

 

[Adamm]

Most probably your Asus router is not vulnerable - see the postings above. But if you want to check the OpenSSL version included in the router's FW, just type "openssl version" in command line of your router. Any result below 1.0.1 is fine.

I have no experience with IOS and don't know how to do version check under IOS.

According to my iPhone 5 running 7.0.6 its running 0.9.8y (for devices running Cydia that is)

 

[cyborgpunte]

OK, sorry.
what about version history in appstore then ??
slightly memory of that I have seen it.....somewhere
no IOS device in my hands atm.
BR

No,
in the about it only states which version of Openvpn it is. It does not state which version of openssl it uses unfortunatly.

 

[bonzodog]

I have a RT-AC56U and the procedure I used is as follows:

Enable telnet and then use something like putty ( remember to select telnet and not ssh) to login using the normal admin/password account.

Once logged in run the following command:

# openssl version -a

You should get an output like:

OpenSSL 1.0.0b 16 Nov 2010
built on: Thu Feb 20 20:03:44 CST 2014
platform: linux-armv4
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: arm-brcm-linux-uclibcgnueabi-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -ffunction-sections -fdata-sections -DTERMIO -O3 -Wall -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM
OPENSSLDIR: "/etc"

If the version ( as above ) is NOT 1.0.1 ( unless it is - and this is highly unlikely 1.0.1g) then you do NOT have the vulnerability.-

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1

 

[RocketJSquirrel]

I ran the expoit test and it reported my router is vulnerable on port 443. Try your own.

http://filippo.io/Heartbleed/

RT-N66U running 3.0.0.4.374.39_0-em

OpenSSL reports as 1.0.0j 10 May 2012

 

[netware5]

I ran the expoit test and it reported my router is vulnerable on port 443. Try your own.

http://filippo.io/Heartbleed/

RT-N66U running 3.0.0.4.374.39_0-em

OpenSSL reports as 1.0.0j 10 May 2012

This is very strange. Do you have any additional services (from Entware, Optware, etc.) running on your router? Could you post here the screenshot of the above test results?

 

[RocketJSquirrel]

This is very strange. Do you have any additional services (from Entware, Optware, etc.) running on your router? Could you post here the screenshot of the above test results?

I don't have Entware, Optware, or anything else other than the Merlin FW. Here's what a positive result looks like.