Author Topic: WZR-HP-G450H Heartbleed Vulnerability in OpenVPN  (Read 4337 times)

coypu76

  • Calf
  • *
  • Posts: 3
WZR-HP-G450H Heartbleed Vulnerability in OpenVPN
« on: June 03, 2014, 10:22:48 AM »
OpenVPN uses OpenSSL.  DD-WRT corrected this vulnerability in build 23882 on April 8, 2014.
The most recent official Buffalo firmware for this model is build 20025 which contains the very well known vulnerability.
I understand that vetting a new firmware version for the official stamp of approval is a complex process that takes time.  Heartbleed is a fairly recently discovered vulnerability.
DD-WRT versions newer than 23882 have the fix, and are available here:
http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F2014%2F

Open any of the three available beta firmwares after the vulnerability fix (23919, 24118, 24160).  Scroll down to buffalo_wzr_hp_g450h for the firmware.

Upgrading from factory software through the web gui I can affirm that the factory-to-ddwrt flash procedure appears to work, based on having flashed four routers with new firmware.  After flashing with non-Buffalo DD-WRT firmware the wzr_hp_g450h-dd-wrt-webupgrade-MULTI firmware is appropriate.

Because the configuration schema can change from version to version, backup configuration files are not recommended for use with versions other than the version in which they were saved, however it is not necessary to reset to factory defaults when flashing a new DD-WRT version (it is preferred when flashing from factory to non-factory DD-WRT versions).

I look forward to Buffalo publishing a factory DD-WRT update which includes the fix for the Heartbleed OpenSSL vulnerability.

Final note - although the Heartbleed SSL vulnerability exists in the OpenVPN implementation, the current exploits in the wild aimed at it are all directed at SSL-secured websites with the vulnerability.  The bad guys use the exploit to set up a man-in-the-middle session in order to collect credentials and financial information from vulnerable SSL-secured websites where the session begins with a login authentication.  This is the "low hanging fruit" the bad guys can use to make money.

Although it would be possible to exploit Heartbleed in an OpenVPN tunnel, the type of data transmitted is not proforma (authentication) but ad hoc data - a lot of it.  The cost and effort of sifting through all the data in an always-on VPN Tunnel would be prohibitive for the typical cybercriminal who casts a wide net to capture passwords (a saleable commodity).  Therefore it is unlikely that the exploit would be aimed at OpenVPN tunnels unless a network were to be specifically targeted.  But no amount of countermeasures will prevent a skilled and persistent attacker from penetrating a specifically targeted network, as the attacker will continue probing and attacking until penetration is accomplished.  Bottom line - the risk level of heartbleed for OpenVPN is fairly low from the standard cybercriminal, but high if a specific network is being targeted.  Plan accordingly.
« Last Edit: June 03, 2014, 10:47:23 AM by coypu76 »

Mighty_Joe

  • Calf
  • *
  • Posts: 2
Re: WZR-HP-G450H Heartbleed Vulnerability in OpenVPN
« Reply #1 on: June 11, 2014, 04:15:11 PM »
I'm looking at the firmware CD released 2014-05-21 and, though the DDWRT version is still 20025, the release notes state:

Quote
1.10
===========================================================================
 * Updated OpenSSL in the following firmwares to fix Heartbleed vulnerability.
    WZR-HP-G450H professional firmware
    WZR-600DHP professional firmware
    WZR-300HP professional firmware

So it looks like they upgraded the OpenSSL library but not the DDWRT version.

davo

  • Really Big Bull
  • VIP
  • *
  • Posts: 6149
Re: WZR-HP-G450H Heartbleed Vulnerability in OpenVPN
« Reply #2 on: June 17, 2014, 11:13:29 AM »
yeah its technically a beta so the version number wasn't changed.
PM me for TFTP / Boot Images / Recovery files  LSRecovery.exe file.
Having network issues? Drop me an email: info@interwebnetworks.com and we will get it fixed!