28

OK, so I first heard about heartbleed a few hours ago through the stack exchange questions feed, and after a moments panic, realised that the only web servers I have secured via OpenSSL are on the internal network. Patched anyway, but now I have been scratching my head on whether or not other services are vulnerable. Specifically I am wondering about Router type devices such as:

  • Cisco ASA's
  • DD-WRT routers
  • NAS's with VPN support

I believe some of these use OpenSSL for things like SSH, point to point or site to site VPN's, the mini web servers they run for admin interface, etc. But I have been batting my head against a wall trying to find the versions running on them. For instance, on our DD-WRT device, I have been unable to even find an OpenSSL command in the filesystem, so maybe I am wrong on them using OpenSSL at all.

I am fairly sure that ASA's running 8.4 are on 0.9.8 and thus safe (but would really like confirmation as, again, I was unable to find this for certain in the ASDM or telnet interfaces), and if that's true I suppose we can assume older versions of ASA will be similarly safe.

Does anyone have any information on these kind of devices?

Edit: I've been reading these meta questions (they're on SO, but I think they may be stack-agnostic, as it were) to try to figure out what the best practise is here, as I think the correct answer may actually be a combination of what's here. That's probably my fault as much as any, because I suppose this is actually a compound question itself. I've considered posting my own answer and accepting it combining the available information about several devices, plus what I found about the exact affected DD-WRT build numbers, but I wonder if that's not kind of rude considering that you guys have supplied most of it and that way I deny EVERYONE the accepted answer rep. I know the accepted practise (from those meta.SO links) seems to be to pick a best one by my own conditions and upvote the rest (the latter of which is done), but different answers here are equally good for different parts of my question. Any thoughts? (Even, should this edit be a meta.sec question of it's own? I hesitate to do that when the question seems to be asked so many times already on other meta's)

Community
  • 1
Chris O'Kelly
  • 442
  • 1
  • 4
  • 11
  • 2
    +1 I would also like to know if OpenSSH is vulnerable. It also features a heartbeat thing (http://freecode.com/projects/openssh-watchdog) but I cannot find out quickly if that is linked to the heartbeat features's bug in OpenSSL – humanityANDpeace Apr 08 '14 at 05:52
  • 3
    http://www.reddit.com/r/netsec/comments/22gaar/heartbleed_attack_allows_for_stealing_server/cgmla8m - just saw this, which suggests that OpenSSH is OK. Although they didn't mention that watchdog service so now I am less sure... way to make me EVEN more paranoid, geez :p – Chris O'Kelly Apr 08 '14 at 06:03
  • 3
    [SSH is not based on the TLS protocol](http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit#comment87050_55076), so the Heartbleed bug should not be exploitable via OpenSSH. – 200_success Apr 08 '14 at 18:30

6 Answers6

11

I've found a nice post from a Cisco Support Engineer regarding to the ASA:

However, if you are trying to find the OpenSSL version for an ASA (Adaptive Security Appliance), you can determine this version from the ASA release notes. Simply examine the "Open Source" notes that are located in the release notes of the particular ASA image you are concerned with. For example, from the ASA 8.4 release notes, you will find a section titled "Related Documentation", which has a link that points to "ASA Series Documentation". From there, you will find a link for "Open Source License". That will take you to an "Open Source" page which reveals that the OpenSSL version that runs on the ASA 8.4 code is "0.9.8f"

Due to this neither 8.4(x) nor 9.1(x) are vulnerable as they are using parts of the OpenSSL version 0.9.8f

mbrownnyc
  • 333
  • 2
  • 8
Merlin_the_Wizz
  • 111
  • 2
  • You know it's interesting, that's the exact same post I read - but the version isn't listed for the 8.2 version we have (in the open source documentation for 8.2 OpenSSL is listed but no version). I just made the assumption that they wouldn't have downgraded the version between 8.2 and 8.4. – Chris O'Kelly Apr 08 '14 at 21:33
6

DD-WRT does use OpenSSL 1.0.1 and is vulnerable. There was an update posted just 22 hours ago to the trac page: http://svn.dd-wrt.com/browser/src/router/openssl

You can view the CHANGES file for details.

cscracker
  • 314
  • 1
  • 3
  • Thanks very much for the info, do you know how to actually apply this update? I am looking for a new firmware file or similar on the site but not finding one. (at the moment I am attempting to follow the instructions [here](http://www.dd-wrt.com/wiki/index.php/Building_From_Source) to modify our existing firmware file with the changes from that SVN, I am still trying to get my head around it but will update with my results) – Chris O'Kelly Apr 08 '14 at 22:39
  • I am thoroughly confused - opened my `.bin` up with the tools provided in the page there, and no where on the filesystem could I find anything to do with OpenSSL. I'm thinking maybe one needs to download the whole source and re-build it using the appropriate build options but I am way out of my league. Bet that a .bin is available from the dd-wrt site by the time I figure it out (probably 3 or 4 minutes later, knowing my luck) – Chris O'Kelly Apr 09 '14 at 04:39
4

From Cisco Security Advisory on OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products (Advisory ID: cisco-sa-20140409-heartbleed, April 9, 2014):

Vulnerable Product

The following Cisco products are affected by this vulnerability:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7900, 8900, 9900 series IP Phones
  • Cisco TelePresence Video Communication Server (VCS)

Other Cisco products may be affected by this vulnerability. The list of affected products will be updated as the investigation continues.

and

Products Confirmed Not Vulnerable

The following Cisco products have been analyzed and are not affected by this vulnerability:

  • Cisco Adaptive Security Appliance (ASA) Software
  • Cisco ACE Application Control Engine
  • Cisco AnyConnect Secure Mobility Client for desktop platforms
  • Cisco AnyConnect Secure Mobility Client for Android
  • Cisco CSS 11500 Series Content Services Switches
TildalWave
  • 10,801
  • 11
  • 45
  • 84
user43863
  • 41
  • 1
4

On my DD-WRT router, access via ssh

First I could see that the version on the /usr/lib/libssl* is 0.9.8 Also running strings on said lib shows v 0.9.8 within

$ strings /usr/lib/libssl.so.0.9.8 | grep OpenS
OpenSSLDie
SSLv2 part of OpenSSL 0.9.8l 5 Nov 2009
SSLv3 part of OpenSSL 0.9.8l 5 Nov 2009
TLSv1 part of OpenSSL 0.9.8l 5 Nov 2009
DTLSv1 part of OpenSSL 0.9.8l 5 Nov 2009
OpenSSL 0.9.8l 5 Nov 2009

p.s. I also got EOF on filippo.io's tool, but thats just not implemented part of the test (http://filippo.io/Heartbleed/faq.html#wentwrong)

nhed
  • 141
  • 2
  • Funnily enough, when I open /usr/lib in my router via SSH i don't even have a libssl - I think at some point between our builds it had been baked into the firmware (though it turns out my 2013 build #18946 was still pre version 1, so no issue). Useful info though, thanks – Chris O'Kelly Apr 10 '14 at 21:36
  • @chrisokelly even if they statically link you may be able to use the strings trick but need to know which executables to look in, but may be stripped of that info. You still can use the tool above, but it does give a lot of non definitive answers (i only manages to get one vulnerable machine with it, a Synology box) – nhed Apr 11 '14 at 11:32
2

as far as DD-WRT goes, it depends on the version. A lot of the "current" DD-WRT releases pre-date the introduction of the heartbeat feature (2012) and associated security vulnerability into openssl. If your DD-WRT was built since 2012 it is vulnerable. The version of DD-WRT I am running on my internal routers is from 11/12 and when I run the heartbleed test I cloned from filippo.io against them I get "ERROR: EOF". :-/ My internet facing router (not running DD-WRT) is OK.

I also checked my synology which is running the version before the current release (5.0) and it is vulnerable. I've disabled access to it from the internet until synology releases a fix for this and I have a chance to apply it.

There is a list here:

https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929

Buddy Palumbo
  • 121
  • 2
  • Thanks for the confirmation - my dd-wrt is from 2013 so I am trying to build from source with the fix - disabling remote admin is definitely a good idea and something I've done in the meantime, do you know whether the OpenVPN feature would be vulnerable also? EDIT: after your edit with the list it looks like that would be a solid yes. – Chris O'Kelly Apr 09 '14 at 21:28
  • I have an old DD-WRT image (dated 2010) and it also gives the EOF error with the filippo.io tool, and I don't see new bins on dd-wrt site yet – nhed Apr 10 '14 at 02:23
  • 1
    Sweet, just got confirmation I don't need to rebuild - The affected builds are 19163 through 23882 – Chris O'Kelly Apr 10 '14 at 21:33
2

Synology is affected but is prepping an update for DSM 5 and DSM 4.3 tomorrow. A patch for DSM 4.2 will be delivered in one week.

From a release I got from Synology (I'm a journalist):

Synology® DSM 5.0 Secured Against OpenSSL Heartbleed Vulnerability

Taipei, Taiwan—April 11st, 2014—Synology® Inc. today releases the latest DSM 5.0-4458 Update 2 to resolve the vulnerability CVE-2014-0160 (also known as the Heartbleed bug) in the OpenSSL software.

As the OpenSSL is one of the largest encryption libraries on the Internet today and has been used by many websites, Synology has taken immediate actions to mitigate this issue:

  • For DiskStation and RackStation running DSM 5.0 and DSM 4.3, it is strongly recommended to apply DSM 5.0-4458 Update 2 via Control Panel and renew SSL certification (read more in Security Advisory).
  • For DiskStation or RackStation running DSM 4.2, patch will be delivered in one week.
  • MyDS Center servers have been patched and are safe to use. However, MyDS Center users are strongly suggested to change MyDS password to ensure the safety of their personal information.

Synology values data & system security as one of its prime directive, and will continue devoting resources to equip our solutions with reliable security measures to prevent potential threats. If users need help with their systems after being upgraded to the latest DSM version or have any further questions, please contact security@synology.com.

film_girl
  • 21
  • 1