OpenWrt Forum Archive

Topic: Patched OpenSSL for Heartbleed vulnerability on Attitude Adjustment?

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Can the packagers please package and update the repositories with a patched version of OpenSSL to address the Heartbleed vulnerability?

If you haven't heard about it, I hate to be the bearer of the most terrible news ever: http://heartbleed.com

I don't seem to have openssl installed, but I do have openvpn. Is AA openvpn built against a vulnerable openssl version?

root@gw:~# openvpn --version
OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013

This doesn't really say much.

root@golden-gate:~# openssl version
OpenSSL 1.0.1c 10 May 2012

It should be affected. But maybe, the critical heartbeat-feature was disabled by one of the the patches.

lkraav wrote:

I don't seem to have openssl installed, but I do have openvpn. Is AA openvpn built against a vulnerable openssl version?

root@gw:~# openvpn --version
OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013

This doesn't really say much.

I'm not sure. Are you sure that you don't have OpenSSL installed? OpenSSL is shipped separately than its command-line tools in OpenWRT if I recall correctly. Search for a passage containing "openssl" and you should see one which is named something like "openssl-tools". Install this and verify the version information.

schoenfeld wrote:

root@golden-gate:~# openssl version
OpenSSL 1.0.1c 10 May 2012

It should be affected. But maybe, the critical heartbeat-feature was disabled by one of the the patches.

Well, we can only hope that it is sad The bug was leaked yesterday and I haven't seen any feedback from the OpenWRT team or seen a package update for OpenSSL on my router yet. I've recompiled packages for OpenSSL in the past and I might have to do it again, but it would be great if packages could be rebuilt for Attitude Adjustment and shipped out to everyone, rather than just to me.

If I do

opkg upgrade openssl

Will I get the latest patch?

No. Binary repository still contains the old 2012/2013 version.

(Last edited by hnyman on 8 Apr 2014, 20:17)

When will the patch hit the binary repository?

I don't think those get updated... They're a snapshot of the 12.09 release. But maybe they do issue an update for security issues like these; the AA branch has been marked 12.09.1 for a while.

Gotcha. I thought for sure that the repositories would be updated consistently with latest security patches.

A note that OpenWrt 10.03.1 uses libopenssl 0.9.8r-1, so not vulnerable to the heartbleed SSL bug.

# opkg info libopenssl
Package: libopenssl
Version: 0.9.8r-1
Depends: zlib
Provides:
Status: install ok installed
Architecture: ar71xx
Installed-Time: 1315497874

Please fork responses to that to a different thread so that this thread can focus on determining when OpenWRT will ship binary patches to OpenSSL to close the Heartbleed vulnerability.

I'm not normally one to use packages posted by random strangers on the internet, but in this case I think the alternative of waiting for an official update with a vulnerable OpenVPN implementation is worse. In any case this package seems to be working fine on my ar71xx device.

Trunk versions are also working for me with OpenVPN on the ar71xx platform.

# cd /tmp

(confirm vulnerable versions are present)
# opkg list | grep openssl
libopenssl - 1.0.1e-1
openssl-util - 1.0.1e-1

(download the trunk packages for ar71xx)
# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/libopenssl_1.0.1g-1_ar71xx.ipk
# wget http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/openssl-util_1.0.1g-1_ar71xx.ipk

(install the new packages)
# opkg install libopenssl_1.0.1g-1_ar71xx.ipk
Upgrading libopenssl on root from 1.0.1e-1 to 1.0.1g-1...
Configuring libopenssl.

# opkg install openssl-util_1.0.1g-1_ar71xx.ipk
Upgrading openssl-util on root from 1.0.1e-1 to 1.0.1g-1...
Configuring openssl-util.

(confirm the new versions are present)
# opkg list | grep openssl
libopenssl - 1.0.1g-1
openssl-util - 1.0.1g-1

(reboot to ensure the new libraries are used by all programs)
# reboot

Regards,
Tim Miller Dyck

lkraav wrote:

I don't seem to have openssl installed, but I do have openvpn. Is AA openvpn built against a vulnerable openssl version?

root@gw:~# openvpn --version
OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013

This doesn't really say much.

I would like to know this as well. Openssl seem to be patched in AA but OpenVPN isn't.
The OpenVPN developers are releasing patches/upgraded versions to address this problem. So it seems that the OpenVPN software also has to be patched/recompiled.

More information on the OpenVPN forum: https://forums.openvpn.net/topic15526.html

p2baron wrote:

I would like to know this as well. Openssl seem to be patched in AA but OpenVPN isn't.
The OpenVPN developers are releasing patches/upgraded versions to address this problem. So it seems that the OpenVPN software also has to be patched/recompiled.

More information on the OpenVPN forum: https://forums.openvpn.net/topic15526.html

On openwrt, OpenVPN is dynamically linked against the system provided libssl:

root@OpenWrt:~# ldd /usr/sbin/openvpn 
    libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x771ed000)
    libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x770ad000)
    liblzo2.so.2 => /usr/lib/liblzo2.so.2 (0x77082000)
    libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7705f000)
    libc.so.0 => /lib/libc.so.0 (0x76ff3000)
    libdl.so.0 => /lib/libdl.so.0 (0x76fdf000)
    ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x77246000)

So, simply updating to the libopenssl_1.0.1g-1_ar71xx.ipk package and restarting openvpn (reboot if you really want to be sure) will make openvpn take the patch. Now, you'll still have to consider rekeying and reissuing certs but updating that package will stop the bleeding.

(Last edited by yokem55 on 9 Apr 2014, 19:35)

Most good software will dynamically link to an external library and it pays off in situations like this. OpenVPN doesn't need to do anything to fix the Heartbleed vulnerability, once libssl is redistributed, the bug is fixed.

In addition to recreating my entire public/private key infrastructure, now I need to also recompile OpenSSL for my router wink

On a related note, why doesn't OpenWRT ship new  versions of packages including security patches? I thought that the package management on OpenWRT was similar to other Linux distributions where security-related fixes were maintained but newer versions of software go in newer OS major versions.

thdyck wrote:
(confirm vulnerable versions are present)
# opkg list | grep openssl
libopenssl - 1.0.1e-1
openssl-util - 1.0.1e-1

...

(confirm the new versions are present)
# opkg list | grep openssl
libopenssl - 1.0.1g-1
openssl-util - 1.0.1g-1

Shouldn't that be list-installed (list installed packages, rather than available packages)?

root@OpenWrt:~# opkg
opkg must have one sub-command argument
usage: opkg [options...] sub-command [arguments...]
where sub-command is one of:

...

Informational Commands:
        list                    List available packages
        list-installed          List installed packages

Seems like a good time to release 12.09.1, which has a lot of other fixes included. At a minimum, adding the appropriate packages to the 12.09 repository seems like a good idea.

drawz wrote:

Seems like a good time to release 12.09.1, which has a lot of other fixes included. At a minimum, adding the appropriate packages to the 12.09 repository seems like a good idea.

Agreed, this needs to happen immediately.

drawz wrote:

Seems like a good time to release 12.09.1, which has a lot of other fixes included. At a minimum, adding the appropriate packages to the 12.09 repository seems like a good idea.


I +1 this!

The discussion might have continued from here.