Hello OpenPLi-Developers,
the current OpenPLi 4 image used OpenSSL 1.0.1e per default and now OpenWebIf (https), OpenSSH ,Dropbear(?), OpenVPN, every software uses these ssl libraries are in great danger!
I know, that a Linux receiver isn't a high secure server, but I think most users have remote access enabled and we should update OpenSSL to version 1.0.1g asap!
tux@vuduo2:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013
tux@vuduo2:~# opkg list-installed
libssl0.9.8 - 0.9.8x-r15.0
libssl1.0.0 - 1.0.1e-r15.0
openssl - 1.0.1e-r15.0
openssl-conf - 1.0.1e-r15.0
python-pyopenssl - 0.13-r1
I have collected all important infos plus test tools here:
The Heartbleed Bug
http://heartbleed.com
OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
SOURCE: https://www.openssl....dv_20140407.txt
https://cve.mitre.or...e=CVE-2014-0160
[Test-Tools]
Web: heartbleed test
http://possible.lv/tools/hb/
Python-Script: OpenSSL heartbeat PoC with STARTTLS support
https://gist.github....eshixx/10107280
hb-test.py
------------------------------------------------------------------------------------
[OpenPLi 4 - OpenWebIf]
tux@vuduo2:~# opkg list-installed
enigma2-plugin-extensions-openwebif - 0.1+git613+19efb31-r7.72
OpenWebIf and HTTPS is active:
https://vuduo2.local
hb-test.py vuduo2.local
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 483
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
..
3ff0: 0F 03 00 00 10 60 86 02 2E 00 00 00 00 00 00 00 .....`..........
WARNING: server returned more data than it should - server is vulnerable!
[OpenPLi 4 - OpenSSH]
tux@vuduo2:~# ssh -V
OpenSSH_6.4p1, OpenSSL 1.0.1e 11 Feb 2013
[OpenPLi 4 - OpenVPN]
tux@vuduo2:~# opkg list-installed
openvpn - 2.3.2-r0
Info: OpenVPN 2.3.3 Update is available!
https://community.op...ngesInOpenvpn23
Best regards
Michael