1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heartbleed Bug

Discussion in 'Tomato Firmware' started by zatoom, Apr 8, 2014.

  1. zatoom

    zatoom Addicted to LI Member

  2. bripab007

    bripab007 Network Guru Member

  3. Gruelius

    Gruelius Connected Client Member

    can we replace the openssl binaries without getting a new toastman build? have had to turn my VPN off for the time being
     
  4. RMerlin

    RMerlin Network Guru Member

    Many recent Tomato builds use OpenSSL 1.0.1b, which is vulnerable. It will need to be upgraded to 1.0.1g.

    This might vary based on the Tomato variant you are using.
     
  5. shibby20

    shibby20 Network Guru Member

    i compiled tomato-arm with openssl 1.0.1g and

    All good, <my_ip>:443 seems not affected!

    :)

    Public release with new openssl for all routers will be soon as possible.
     
    wistlo, JoeDirte and tievolu like this.
  6. sziggle

    sziggle Networkin' Nut Member

    some of my shibby-equipped routers are remote to me and i will not be able to flash new firmware to them safely. is there a how-to anywhere for updating just the openSSL package from the command line (via SSH)?
     
  7. JoeDirte

    JoeDirte Serious Server Member

    From: http://www.kb.cert.org/vuls/id/720951

    Solution
    Apply an update

    This issue is addressed in OpenSSL 1.0.1g. Please contact your software vendor to check for availability of updates. Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items.

    Disable OpenSSL heartbeat support


    This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

    Use Perfect Forward Secrecy (PFS)

    PFS can help minimize the damage in the case of a secret key leak by making it more difficult to decrypt already-captured network traffic. However, if a ticket key is leaked, then any sessions that use that ticket could be compromised. Ticket keys may only be regenerated when a web server is restarted.
     
  8. jerrm

    jerrm Network Guru Member

    No easy way. The only way I can think of would need USB or JFFS available.

    You would need to copy the updated binaries to USB/JFFS, then put in an init or automount script to stop the openssl dependent services, "mount -o bind" the new binaries over the old binaries, then restart the services.
     
    Last edited: Apr 8, 2014
  9. sziggle

    sziggle Networkin' Nut Member

    i do have jffs enabled everywhere.

    but i'm not familiar with chroot in practice and i don't know what it means to <"mount -o bind" the new binaries over the old binaries>.

    it looks to me like there is a single binary for openssl. any reason i couldn't just copy over a patched new binary?
     
  10. RMerlin

    RMerlin Network Guru Member

    Flash is read-only. You would need to store it on JFFS, then use "mount -o bind" to mount the replacement on top of it.
     
  11. Mangix

    Mangix Networkin' Nut Member

    Wouldn't it make sense to just edit the Makefile with -DOPENSSL_NO_HEARTBEATS ? The heartbeat functionality in TLS is not useful at all. This would also give a slightly smaller size.
     
  12. sziggle

    sziggle Networkin' Nut Member

    ok, can you show me the actual command line i would use to just replace a single binary from /usr/sbin with a corresponding binary stored on the jffs partition?
     
  13. RMerlin

    RMerlin Network Guru Member

    Code:
    mount -o bind /jffs/newbin /usr/sbin/oldbin
    
    This however won't survive reboots. And I doubt this will work well with the OpenSSL library, because you need to ensure that no application has loaded the old version at the time you try to mount the replacement library on top of it. So that means the mount bind must occur before httpd, dropbear, openvpn and any other service linked to ssl/crypto is started.
     
  14. RMerlin

    RMerlin Network Guru Member

    Then one year from now a dev forgets about that vuln, and re-enable it, making the router vulnerable.

    It's always better to update code to non-vulnerable one than simply hide the hole behind something. It prevents issues down the road. Especially when it should be trivial to update the code in this case.
     
  15. Mangix

    Mangix Networkin' Nut Member

    But the Makefile for OpenSSL for Tomato(at least shibby's builds) disables a lot of stuff like ECC to keep the filesize down. Disabling Heartbeat support is easy to do as well and should make the builds a tiny amount smaller. Heartbeat support is also completely useless except for DTLS which tomato does not use AFAIK.

    That being said there's no harm in updating OpenSSL. It should be done regardless.
     
  16. sziggle

    sziggle Networkin' Nut Member

    thanks! i can write an init script that shuts down the relevant services, re-creates the mount, and then re-starts the services.

    that is, believe me, a way better solution than trying to walk my gf through flashing the router at her house, my brother at his house...
     
  17. Mangix

    Mangix Networkin' Nut Member

    set up SSH servers and flash remotely.
     
  18. cloneman

    cloneman Networkin' Nut Member

    What's at risk here, just the data exchanged during HTTPS remote admin? In its current unpatched state, it's like having remote admin using port 80, unencrypted, right?

    Another way to ask it: being vulnerable to heartbeat is still better than not having openSSL at all for remote management? Or does the sheer presence of openssl allow access to other resources on the router, even if you never use remote management?
     
  19. Mangix

    Mangix Networkin' Nut Member

    It's a bug that leaks 64KB of memory. I have no idea what is actually leaked. Some people say private keys but there is no evidence of that that I have seen. It's still worrysome though.

    You should not be using Remote Management at all. Leaving aside bugs in OpenSSL, I don't believe the current authentication mechanism to be any good. The source code of the default http server for tomato is full of unsafe functions like strcpy and strcmp. For example last I looked, logging in was just a strcmp between http_passwd and the input. No idea if this is exploitable.

    You're better off using an SSH tunnel or maybe OpenVPN.
     
  20. sziggle

    sziggle Networkin' Nut Member

    except openVPN uses openSSL so has the same vulnerability. and i use openVPN on several of the routers i mange so i still need to get the patched version of openSSL on those routers.

    but i agree on using an SSH tunnel. i think i am going to just tunnel the web admin through SSH and not allow any other means of remote management for my routers.
     
  21. Kim K

    Kim K Serious Server Member

    What about those with older 4MB flash devices that are currently running older builds as newer builds won't fit any more?
     
  22. BikeHelmet

    BikeHelmet Networkin' Nut Member

    That's what I've been doing for a while. Fire up Putty, connect via SSH, then launch PuttyFox. (Just portable firefox configured with Putty as the proxy/tunnel.)

    Hmm... looks like I'm flashing my router again!
     
  23. RMerlin

    RMerlin Network Guru Member

    ECC is actually something that will have to become more commonly used in the near future.
     
  24. Mangix

    Mangix Networkin' Nut Member

    ssh/telnet in to your router and type 'openssl version'. that should give you an answer.
     
  25. Kim K

    Kim K Serious Server Member


    Sorry, I should have been clearer. I meant, how do those users of older routers get an update when the last available firmware that fits was Shibby 104?

    Also, FYI: (on two shibby based routers)

    openssl version
    openssl:Error: 'version' is an invalid command.
     
  26. shibby20

    shibby20 Network Guru Member

    please read changelog. "Version" command was never added in tomato. I added it in release 105:
    but removed in v112:
    In release 092 we can read:
    and next update of openssl was in v105
    now you should know which version of openssl you have :)
     
  27. Nick G Rhodes

    Nick G Rhodes Networkin' Nut Member

    CVE-2014-0160 mitigation using iptables
    From: http://seclists.org/bugtraq/2014/Apr/44

     
  28. Morac

    Morac Network Guru Member

    lancethepants posted a statically linked version of the fixed version of OpenVPN so that can be used instead.
     
  29. ryzhov_al

    ryzhov_al Networkin' Nut Member

    TSL handshake was disabled in Entware. A new openssl will be added in a day or two.
     
  30. Joeviocoe

    Joeviocoe Network Newbie Member

    Waiting intently on Shibby's update for RT-N16
     
    wistlo likes this.
  31. sziggle

    sziggle Networkin' Nut Member

    word.
     
    wistlo likes this.
  32. zatoom

    zatoom Addicted to LI Member

    HunterZ likes this.
  33. wistlo

    wistlo Addicted to LI Member

    Waiting on RT-N16, -N12, and -N66U. The network owner is Not Happy.
     
  34. gijs73

    gijs73 LI Guru Member

    A little rude, don't you think? This isn't a Shibby issue, this is a giant OpenSSL issue. Whether or not someone "is Not Happy" doesn't really mean much.

    Plus, think of it this way: you haven't built your own custom firmware that has this security hole patched, so maybe be nicer to someone who can ACTUALLY help you.

    Thanks in advance Shibby... I'm sure you had better things to be doing this week.
     
  35. wistlo

    wistlo Addicted to LI Member

    Yes, I confess to being impatient and apologize for being terse.

    The problem is that I have become accustomed to Tomato's stability, performance, the efficient configuration and management, and its inter-operability across multiple hardware appliances. I greatly appreciate the all the work that's gone into Tomato by shibby, Victek, toastman, and the other contributors. I have donated to their causes in the past, and definitely will again--especially after this fire drill.

    But now I must answer "why are all my routers vulnerable and when will you fix it?" My choices are (a) give up the fight and spend a lot of my time and money switching out hardware for off-the-shelf items, so next time this happens I can say "Take it back to the guy at Best Buy" or "call your Cisco consultant" (b) reflashing many devices, some almost a decade old, some remote, with stock firmware and then try get them to work together (c) firing up my own development environment, though that would still mean many nights of time at best, and ultimately I would trust a shibby or victek solution far more than my own. Fortunately, I guess, there's now a (d) where I will probably end up staying up all night next week implementing the openssl 1.0.1.g temporary binary file fix using jffs (or usb or cifs). I posted above because I'd rather spend that night flashing a new kluge-free version.

    I can't just roll back to ancient pre-Heartbleed Tomato versions because I'm using OpenVPN where some clients don't play well with old server versions, and WDS, which back then was not stable across different vendor platforms.

    At my workplace, "thanks in advance" is management-speak code for "you had better get this done soon, buddy". I never use that phrase, but I guarantee that I will appreciate whatever solution shibby, victek, et. al. come up with.


    I imagine I'm not the only Tomato user in this kind of fix. I also imagine I'm not the only Tomato user who views Tomato's developers like shibby and Victek and Jon Zarate as unsung Steve Wozniaks, on the same level as Woz at making inexpensive little devices do amazingly big things.
     
  36. Elfew

    Elfew Addicted to LI Member

    You have been living with this issue over one year and now you wanna fix :) NSA already have all your data, so no rush and worries ;)
     
  37. lancethepants

    lancethepants Network Guru Member

    Perhaps it might be useful to remind ourselves that tomato falls under the GPL license. Here is a selection of it.

    Code:
    NO WARRANTY
    
    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
    REPAIR OR CORRECTION.
    
    Stated generally: If you want your hardware/software supported for a professional environment, you should pay a professional service for it.
     
    Last edited: Apr 12, 2014
    Toxic, Toastman and kthaddock like this.
  38. schnappi

    schnappi Serious Server Member

  39. FattysGoneWild

    FattysGoneWild LI Guru Member

    Wow! How dare you! Before you blast him. Its pretty rude yourself and selfish to blow it out of context. Shame on you. wistlo no need to apologize and kiss butt. You said nothing wrong. You just mentioned the devices and the owner not being happy about the security vulnerability. No where did you mention pushing these firmware makers and DEMANDING a fix ASAP. That is a completely different thing.

     
    Last edited: Apr 12, 2014
  40. wistlo

    wistlo Addicted to LI Member

    Code:
    NO WARRANTY
    
    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
    FOR THE PROGRAM . . .
    
    Understood. But GPL code is now in common use commercially. I know of one Fortune 100 company that's migrating to Linux as fast as it can, and (finally) the idea of open source is not stopping them.

    Besides, at my level of operation, I don't put that much faith in the alternative, commercial EULAs. Here's what Microsoft makes users agree to:

    Code:
    MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING THOSE OF
    MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, A ND NON-INFRINGEMENT...
    
    IF YOU HAVE A NY BASIS FOR RECOVERING DAMAGES FROM MICROSOFT, YOU CAN RECOVER ONLY DIRECT DAMA GES UP TO THE AMOUNT THAT YOU PAID FOR THE SOFTWARE. YOU MAY NOT RECOVER A NY OTHER
    DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT, OR
    INCIDENTAL DAMAGES.
    
    In effect that's the same as GPL, right up to "the amount I paid for the software." (in Tomato's case, that's much easier to figure out).

    What about going to an all Cisco solution, which was suggested to me until the cost became apparent?

    Code:
    ...Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers under this limited warranty will be (i) replacement of defective media and/or (ii) at Cisco's option, repair, replacement, or refund of the purchase price
    
    To be fair, Cisco does respond quickly when key vulnerabilities are discovered. The bigger the contract, the faster the response. For the SOHO market, that's not very fast; vulnerabilities that persisted in Linksys firmware across multiple releases.

    Tomato is functional beyond just someone watching Netflix or torrenting files. It's a great value (actually, infinite if you calculate it mathematically). For a small enterprise that's barely profitable if at all, it's an ideal choice. I'm glad I had this dialog here, as it gives me some talking points for hand-waving while a fix is forthcoming.

    And believe me -- for the years of stable operation and terabytes of business traffic that has passed through Tomato, I remain very appreciative.
     
    Last edited: Apr 13, 2014
  41. koitsu

    koitsu Network Guru Member

    Off-topic, so I'm making the font small:

    Ah, wait a minute, I have to inject here. @lancethepants, to be clear, Tomato does not fall entirely under the GPL. There are portions of Tomato which are obviously GPL, and I think there are some included utilities which also fall under BSD or possibly Apache license. And that's all fine. However, there are Tomato-specific pieces which fall under a very vague and undefined license -- those pieces are the pieces Jonathan Zarate himself wrote, and there is no LICENSE file or header to describe the conditions themselves. There have been numerous attempts to contact him to get clarification on what licensing this complies with (ex. "hey can we modify your code and release it?"), but he never responds. So there are portions of the Tomato code that we cannot actually modify/fix because of this dilemma.

    Back to the OpenSSL bug itself and how it affects so many people:

    Let this be a lesson to the world: Linus's Law, a quote from from Linus Torvalds -- "given enough eyeballs, all bugs are shallow" -- is absolute bullshit. I called bullshit on it when he said it back in the day, just like I call bullshit on Eric Raymond's Cathedral and the Bazzare article (which I wrote a response to, about 20 pages with full references/analysis, but I never got a chance to release it due to fat-fingering and deleting it). The number of eyes has absolutely no bearing -- what you need are intelligent eyes, who are familiar with all the code from the ground up.

    OpenSSL has had hundreds upon hundreds of eyes on it, yet this bug went undiscovered until some employees of Google stepped up to the plate and found it. There have been other problems with OpenSSL found since then too,

    Why is this such a problem, and why does the issue recur time and time again with things like OpenSSL? Rather than re-write what I posted on Slashdot a few days ago I'll simply point people to the paragraph there that starts with "My opinion". That there is the crux of the matter. It proliferates heavily throughout cryptography software because there are a limited number of people who... well... just read what I wrote in that paragraph on Slashdot, it sums it up.

    I say all this as both an open-source software developer and as a person who has been involved in the open-source community since roughly 1992 (I started with Linux 0.99pl45).

    Finally: OpenSSL is an absolutely horrid piece of software. I'm not just spouting off nonsense here. If you take the time to actually look at it, from the ground up, all the semantics/design/methodologies, and then go and look at how the software has changed over the years (i.e. tons and tons of breakage at the API and ABI level), then you suddenly realise how utterly scary it is for such a huge amount of the Internet to be reliant on something that's written so awfully. The problem is that there aren't feasible alternatives; OpenSSL is it. It's kinda like RRDtool in that sense -- there's nothing else that does what RRDtool does, so people continue to use it despite it being a complete pile of garbage that is bug-ridden, doesn't scale well, and is an administrative nightmarel (and ~75% of people who use it are probably unaware of how the data shown by RRDtool is not the data they truly would expect, i.e. the behaviour they expect is not actually what's going on, but they think it is).
     
    wistlo likes this.
  42. Mangix

    Mangix Networkin' Nut Member

    I love the story of OpenSSL's origins. Eric Young wanted to learn C and decided to write an SSL library in it for fun XD.

    The two areas where tomato uses OpenSSL are OpenVPN and HTTPS Management. For the former, it's entirely possible for it to be recompiled to use PolarSSL which is not as bad(there's a polarssl directory in the tomato source) but I don't think that it's as fast as OpenSSL. And I think that's sadly the main reason that it's used.
     
    koitsu likes this.
  43. Xegot

    Xegot Network Newbie Member

    So in other words: if you don't use OpenVPN and don't use HTTPS management then you don't have to worry about the heartbleed bug for Tomato based routers?
     
  44. PartisanEntity

    PartisanEntity Reformed Router Member

    Hello, that's correct. Although it would make sense to upgrade when a fix becomes available just in case you ever need these features. The heartbleed bug is pretty serious.
     
  45. shibby20

    shibby20 Network Guru Member

    not only. TOR, Transmission (if encryption is enabled). If openvpn is build-in then vsftpd has also SSL support
     
  46. PartisanEntity

    PartisanEntity Reformed Router Member

    shibby, not to put any pressure on you :) just out of interest, when do you expect to release a new version with a fix for heartbleed?

    dziękuję
     
  47. shibby20

    shibby20 Network Guru Member

    it`s compiling at the moment. Today should be K26 ready to release. Tomorrow K26RT-N, after that i will compile K26RT-AC and K26ARM. At finish i propably compile also K24. Compile all images takes ~3-4days.
     
    Elfew, JoeDirte, wistlo and 3 others like this.
  48. PartisanEntity

    PartisanEntity Reformed Router Member

    Thanks so much, and I really appreciate all the hard work. For me the K24 is most important I guess since I have a WRT54GL.

    I am a recent migrant from dd-wrt and this is a huge difference. Makes dd-wrt look like it is stuck in the past IMO.
     
  49. The Master

    The Master LI Guru Member


    Holy shit!!! 3-4 Days... hard work...hard work... THX So mutch to you and the other Devs.
     
  50. wistlo

    wistlo Addicted to LI Member

    Goooooal!

    Shibby:1
    Corporate vendors:0

    This, based on an excerpt from an email regarding OpenSSL that was sent today to all employees at my workplace:

    (Emphasis mine.)

    Thanks Shibby for the status update, not to mention all the work you're putting behind it.
     
    Last edited: Apr 14, 2014
  51. shibby20

    shibby20 Network Guru Member

    ok, i need one person to test tomato v117 K26 and tell me is this version fixed heartbleed before public release. Who want test first? :)
     
    Elfew, wistlo and Spyros like this.
  52. leandroong

    leandroong Addicted to LI Member

    what good site to test? I got
    edit: I can test it on my
    router: ZTE ZXV10 H618B, Tomato Firmware 1.28.0000 MIPSR1-116 K26 USB AIO. Tell me what url to use as test

    edit2, on 1.0.1f test, I got this
     

    Attached Files:

    Last edited: Apr 14, 2014
  53. Spyros

    Spyros LI Guru Member

    I can test, currently on tomato-E2000-NVRAM60K-1.28.RT-MIPSR2-116-Max

    Is dnsmasq updated to fix this bug?

    http://www.linksysinfo.org/index.php?threads/dnsmasq-periodically-restarting.69887/

    Can you add JFFS in IPv6-VPN build for E2000? There is plenty of space left and installing Max for having JFFS+IPv6+VPN is an overkill.
     
  54. wistlo

    wistlo Addicted to LI Member

    RT-N66U, available tonight.
    RT-N12d, available tonight (though not with OpenVPN, just https and WDS test)
    RT-N16, available April 16 (after US tax deadline).
     
  55. johns996

    johns996 Addicted to LI Member

    I'm happy to help test it out as well on my RT-N66U running 114-EN currently.
     
  56. Edrikk

    Edrikk Network Guru Member

    That's great news! My parents are running WRT54GLs as it gives them great range and stability, so it's really great that K24 will get a new build as well!
     
    wistlo likes this.
  57. shibby20

    shibby20 Network Guru Member

    [release] tomato v117 K26 - part 1

    openssl updated to version 1.0.1g - heartbleed fixed.
    tomorrow should be next part of firmwares.

    Feedback welcome.
    Best regards.
     
    Last edited: Apr 14, 2014
    Elfew and wistlo like this.
  58. wistlo

    wistlo Addicted to LI Member

    I send these home (and carry one in my own briefcase) to use VPN without needing to touch the remote client machine.

    The WRT54GL's light is useful when troubleshooting remotely: amber for successful ping out to Google, and white for successful ping to VPN LAN. Instead of "do you have Putty?", it's "what color is the light?"
     
  59. PartisanEntity

    PartisanEntity Reformed Router Member

    You can change the light on WRT54GL?
     
  60. shibby20

    shibby20 Network Guru Member

  61. Elfew

    Elfew Addicted to LI Member

    Thanks!
     
  62. wistlo

    wistlo Addicted to LI Member

    Yes - I posted a how-to here.
     
  63. PartisanEntity

    PartisanEntity Reformed Router Member

    Very cool, thank you :)
     
    wistlo likes this.
  64. Gruelius

    Gruelius Connected Client Member

  65. Kim K

    Kim K Serious Server Member

    Hi Shibby,

    Is it worthwhile compiling any more for the Linksys E1000v2-2.1 as the image no longer fits?

    I think it's a bit confusing having them there for download when they don't actually work.

    Disclaimer: I have one as a secondary router, and its running the last known one that fits, I think that was v107.
     
  66. Toastman

    Toastman Super Moderator Staff Member Member

    I just released 7504 which uses the patch from DJFurie of EasyTomato, and also brings dnsmasq up to date.
     
  67. shibby20

    shibby20 Network Guru Member

    thx to remember me this problem. I can compile test image for you. Please tell me which branch do you want: RT-N or RT-AC?
     
  68. JugsteR

    JugsteR Serious Server Member

    Are there any updated versions for WRT54GL?
    The version I am running now is Tomato Firmware v1.28.7624 -Toastman-ND ND VPN.
    (stable as a rock since I blew a cap on my ordinary router)
     
  69. Toastman

    Toastman Super Moderator Staff Member Member

    good point about K24 versions. I'll take a look at it later, and see what I can do quickly.

    Compiling with no heartbeat seems the best thing, I do not want to spend much time on K24 versions.
     
    Last edited: Apr 16, 2014
  70. Gruelius

    Gruelius Connected Client Member

    RT-N please. I am happy to help! my router is an Asus RT-N66U
     
  71. li am

    li am Network Newbie Member

    Thanks for the updated version!
    I installed 1.28.0504 MIPSR2Toastman-RT-N K26 USB VPN on my Netgear WNR3500L v2 and tested with check-ssl-heartbleed.pl:

    perl check-ssl-heartbleed.pl <ip>
    ...ssl received type=22 ver=0x301 ht=0x2 size=77
    ...ssl received type=22 ver=0x301 ht=0xb size=723
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    ...ssl received type=24 ver=301 size=16384
    BAD! got 16384 bytes back instead of 3 (vulnerable)

    Does that mean my router is still vulnerable, or is this a false positive?
     
  72. shibby20

    shibby20 Network Guru Member

    maybe you have openssl from optware/entware installed?
     
  73. li am

    li am Network Newbie Member

    How can I verify/falsify this? - I did not manually modify the openssl or any other files on my router, other than configuration changes that are available through the web gui.

    Here's what shows over ssh - I guess the version stays at 1.0.1c because it's patched (Easy Tomato).

    Tomato v1.28.0504 MIPSR2Toastman-RT-N K26 USB VPN
    root@tomato:/tmp/home/root# /usr/sbin/openssl version
    OpenSSL 1.0.1c 10 May 2012​
     
  74. Morac

    Morac Network Guru Member

  75. Stavros

    Stavros Network Newbie Member

    Shibby,

    First of all thanks for all your work on this, not only is your Tomato version fantastic for my router but it also forced me off my lazy Windows based ass and into the wonderful world of Linux.

    Just wondering if these changes to fix the HB bug will be pushed to the GIT repo any time soon?

    Thanks again for all your work!
     
  76. lancethepants

    lancethepants Network Guru Member

    Group claims to have successfully exploited OpenVPN with heartbleed vulnerability, and recovered private keys.
    They are not released the exploit code, though I'm sure others will pop up.

    https://news.ycombinator.com/item?id=7598616

    You should safely assume your private are compromised and generate new ones.
     
  77. maleadt

    maleadt Networkin' Nut Member

    Stock binaries are apparently only loading libraries from /lib and /usr/lib:
    Code:
    # ldd $(which httpd)
       libnvram.so => /usr/lib/libnvram.so (0x2aabf000)
       libshared.so => /usr/lib/libshared.so (0x2aad1000)
       libmssl.so => /usr/lib/libmssl.so (0x2aaf1000)
       libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x2ab03000)
       libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x2ab50000)
       libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2ac5a000)
       libc.so.0 => /lib/libc.so.0 (0x2ac79000)
       libpthread.so.0 => /lib/libpthread.so.0 (0x2aced000)
       libdl.so.0 => /lib/libdl.so.0 (0x2ad10000)
       ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x2aaa8000)
    Even though libssl exists in /opt/lib

    Admittedly, I don't fully grok why. Entware managed libraries are listed _first_ in /etc/ld.so.conf, so as far as I see ld should pick them up. But stracing httpd doesn't list any library in /opt even being looked at.

    When bind mounting /opt/lib/libssl.so.* over /lib/libssl.so.*, I get relocation errors when executing binaries:
    Code:
    # mount -o bind /opt/lib/libssl.so.1.0.0 /usr/lib/libssl.so.1.0.0
    # httpd
    
    httpd: can't handle reloc type 0x2f
    So maybe there's some inherent incompatibility between stock and entware libraries?
     
  78. Morac

    Morac Network Guru Member

  79. Toastman

    Toastman Super Moderator Staff Member Member

    The code has the easytomato fix, and when I tested it online here, it appeared to work fine.

    Never mind, I've upgraded to 1.0.1g in 7504.1

    EDIT please use 7505 instead. All 7504.x releases deleted.
     
    Last edited: Apr 21, 2014
  80. Morac

    Morac Network Guru Member

    Does that fix OpenVPN as well or is 2.3.3 still needed?

    On a related note, I've been seeing a number of recent connection attempts on the OpenVPN port in the logs, which OpenVPN 2.3.3 (using static compiled version) is reporting as a potential attack, so it looks like exploit kits out their are now scanning for vulnerable VPN servers.
     
    Last edited: Apr 18, 2014
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For what it's worth, I contacted Jon back in 2008 (when I first created TomatoVPN) asking about modifying/distributing, I got the following response:
    I don't know if anyone would be comfortable taking that response and extrapolating it to allowing anyone changing/distributing it (following those conditions, of course), but I thought I'd throw it out there. This wasn't even asking about specific files, just all of the "No part of this file may be used without permission" files in general.
     
  82. JTD121

    JTD121 Networkin' Nut Member

    Curious, I am running AdvancedTomato 1.28.0000 MIPSR2-1.24.16 K26AC USB AIO-64K; I upgraded a couple days ago from an older version. What's the recommended way to check what version of OpenSSL you've got? Finding and executing the command 'openssl version' says it's an invalid command; I see Shibby has taken some of those commands out to shrink his images.

    I use HTTPS management, only on the local network, not on the WAN, and not externally, anyway. Should I be worried? Just regenerated my self-signed certs with 1.0.1g, though I'm pretty sure that has little (if anything) to do with the Heartbleed bug.

    EDIT: Also, since I've recently gotten a big-boy job again, I will be donating to a few of you as thanks soon!
     
  83. Mangix

    Mangix Networkin' Nut Member

    strings /usr/lib/libcrypto.so | grep OpenSSL

    not ideal but meh.
     
  84. gfunkdave

    gfunkdave LI Guru Member

    So, OpenVPN question. Do I need to upgrade the OpenVPN server and client routers or just the server router to address Heartbleed? I think I just need to do the server, right? (And create new keys/cents)
     
  85. JTD121

    JTD121 Networkin' Nut Member

    After running that, I am running 1.0.1c. At the very least, I am only using SSL/TLS on the LAN. Does this affect browsers going through the router?
     
  86. glynne

    glynne Network Newbie Member

    I'm between a rock and a hard place. I'm using shibby's version and with the heartbleed bug I should upgrade. Problem is, my RT-N66U, after a few days of use (or less), has to be hard booted as it locks up after a while. This only happens, best I can tell, with version 112 and greater. I've also noticed this problem with the RT-N16. Anyone have an idea what I should do to both avoid heartbleed and have a stable router?

    Thanks.
     
  87. gfunkdave

    gfunkdave LI Guru Member

    Try Toastman?
     
  88. koitsu

    koitsu Network Guru Member

    No, the individual should wait, as present Toastman firmwares (as of this writing) are not ready yet. Proof:

    http://www.linksysinfo.org/index.php?threads/toastman-releases.36106/page-27#post-244177

    People need to calm the F down about this issue and give maintainers of firmwares, software, etc. a chance to make sure things are being done correctly. Everyone pushing/shoving and trying to "race for who gets the first fix" and all this utter nonsense has already caused multiple mistakes/problems (ex. the guy who went on some hellbent tirade insisting he could just drop OpenSSL 1.0.1g in place of the existing OpenSSL and "everything would just work" -- so little did that individual know of OpenSSL and how ABIs work, as was later realised by people reporting "I get weird bizarre runtime symbol errors when trying to use your stuff"). Had people not gone completely ballistic and instead said "okay, in the meantime I'll shut off HTTPS 'til this gets fixed properly"....

    This is just another reason supporting my advocacy of disabling HTTPS on routers (Internet-facing) universally and instead just use SSH (with key-based authentication only) + SSH port forward/tunnel to access the web GUI. Tried to tell people...... :(
     
    BikeHelmet likes this.
  89. Morac

    Morac Network Guru Member

    If Toastman is updating to use Shibby's OpenSSL commits and Shibby's version isn't stable doesn't that mean Toastman's version won't be stable at that point as well?
     
  90. Toastman

    Toastman Super Moderator Staff Member Member

    Shibby and I are now sync'd on the openssl. It appears stable here. A few days of people using it and we will know how it is. Koitsu is correct with his comments. Now we have what seems like working code in git, we can progress.
     
  91. Edrikk

    Edrikk Network Guru Member

    Hi Toastman,
    Any chance you'll also upload updated builds for ND-MIPS32R1 Kernel 2.4 and ND-MIPS32R1 Kernel 2.6 as well?
     
  92. Toastman

    Toastman Super Moderator Staff Member Member

    No plans to do that, no. Perhaps building with no heartbeat, but updating openssl and openvpn will make the builds much too large for old routers. The code is pretty much at the end of life - except for any small changes in GUI etc to make it a little more pleasant.
     
  93. mstombs

    mstombs Network Guru Member

    Definitely worth pausing for thought once basic vulnerable function disabled, by not using or code change - see the slashdot etc articles on what openbsd folk doing in reviewing all the code, but their knee-jerk reaction not likely to be very helpful in short term, if you look at the actual commits they are mostly just rearranging whitespace and removing support for obsolete VMS etc - any actual new potential bug fixes may be lost in the mud! That version likely to become libressl, and others will have to carefully review everything before a stable new openssl version created!
     

Share This Page