openSSL heartbleed vulnerability

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: openSSL heartbleed vulnerability

Post by throughwalls »

From https://openvpn.net/index.php/open-sour ... howto.html
Hardening OpenVPN Security

One of the often-repeated maxims of network security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. OpenVPN provides several mechanisms to add additional security layers to hedge against such an outcome.

tls-auth

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

DoS attacks or port flooding on the OpenVPN UDP port.
Port scanning to determine which server UDP ports are in a listening state.
Buffer overflow vulnerabilities in the SSL/TLS implementation.
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

In the server configuration, add:

tls-auth ta.key 0
In the client configuration, add:

tls-auth ta.key 1
These last two underlined configuration lines are set up in the gargoyle openvpn. This is a relief. When used in conjunction with UDP transport, this suggests the vpn is not immediately vulnerable.

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

Any update on how to patch our routers?

Thanks!
-m

FriedZombie
Posts: 16
Joined: Tue Jan 07, 2014 2:09 pm

Re: openSSL heartbleed vulnerability

Post by FriedZombie »

Since both the gargoyle and official repo are configured within opkg, you can simply update openssl via ssh. (if enough space is availllable on the device).
The only drawback is that if you reset the settings of the router, the older version that is also stored in ram is back as well.

To update the libopenssl package, simply enter the following commands via ssh:

Code: Select all

opkg update
opkg upgrade libopenssl
http://goo.gl/d2YFTl --- WEP encryption is bad
http://goo.gl/uLDPJ1 --- Hidden ssid more secure?
http://goo.gl/o2kFI9 --- TTL-USB cable I use

maxslug
Posts: 9
Joined: Fri Nov 15, 2013 6:45 pm

Re: openSSL heartbleed vulnerability

Post by maxslug »

FriedZombie wrote: you can simply update openssl via ssh.
Please read the rest of the thread. The opkg update is broken due to a bug in gpkg.

Is there any resolution to that issue?

Thanks,
-m

Post Reply