DD-WRT Update on Heartbleed Vulnerability

Via: DD-WRT

The Heartbleed vulnerability in discovered in OpenSSL 1.0.1 - 1.0.1f is one of the most serious matters in encrypted data communication during the last years. First of all we can ensure you that the encrypted web services like the DD-WRT Online Shop and the Activation center never have been affected because the OpenSSL version we are using does not contain the vulnerability.

Currently the main focus of the Heartbleed discussion lies on web servers using SSL/TLS but other services on Linux systems are also using OpenSSL. By default none of these services is enabled in DD-WRT - nevertheless it is important that you check your router settings to find out if you might be affected by Heartbleed.

The Heartbleed vulnerability allows an attacker to read random 64k blocks of memory of the service using OpenSSL (with TLS). Since every request delivers another 64k memory block an attacker could retrieve sensitive data from the service i.e. private keys. More detailed information about Heartbleed can be found in the security advisory:

http://www.kb.cert.org/vuls/id/720951

and here:

English: http://www.infoq.com/news/2014/04/heartbleed-ssl
German: http://www.golem.de/news/openssl-wichtige-fragen-und-antworten-zu-heartbleed-1404-105740.html

In DD-WRT itself the following services are using OpenSSL with TLS:

  • openvpn
  • squid
  • freeradius
  • asterisk
  • curl
  • pound
  • tor
  • transmission

If you don't use one of these services you are not affected.

Only builds 19163 thru 23882 are affected.
All Kong's builds have been updated with latest openssl.

For R6300V1/WNDR4500: http://www.desipro.de/ddwrt/K3-AC/23885/

For R6250/R6300V2/r7000: http://www.desipro.de/ddwrt/K3-AC-Arm/r23884/

For WNR3500L V1: http://www.desipro.de/ddwrt/K26/r21395+/