ljkbirk's profile

Contributor

 • 

1 Message

Wednesday, April 9th, 2014 10:46 PM

Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Is the 3600HGV (software 6.9.1.42-plus.tm) affected by this vulnerability?

Accepted Solution

Official Solution

Former Community Manager

 • 

10.4K Messages

10 years ago

We have found no issues due to the bug, but will continue to monitor.

 

More info here: http://blogs.att.net/consumerblog/story/a7795231

ACE - Master

 • 

6.9K Messages

10 years ago

It has nothing to do with the router you are using, it's the web sites that you visit that require logins.

ACE - Expert

 • 

34.7K Messages

10 years ago

While the biggest problem may be the server sites, most routers (including the RG) have built in web pages and could use SSL; they could have these vulnerabilities which could be exploited if they have an outward facing port that allows an SSL connection.

 

ACE - Expert

 • 

34.7K Messages

10 years ago

An article with a little bit of information (and more hype):

 

http://mashable.com/2014/04/10/heartbleed-networking-routers/

 

Tutor

 • 

2 Messages

10 years ago

If anyone knows at ATT, they aren't tellIng.  I actually foolishly called into tech support to ask.  I was first told by the tech that Yahoo had patched everything.  Err no, I'm talking about the physical router I have and the software that came with it.  The tech then responded that ATT had updated my software automatically.  I doubted that very much so I asked how that could be verified and he told me to sign into the router and I'd see the software had been updated in the last couple of days.  I asked what version of the software I should look for.  Which version specifically had been patched for the heartbleed vulnerability.  He had no answer.  And, big surprise, my software is the same version it was about a year ago: 6.9.1.42-plus.tm So, i don't think there is a clear answer at this point.

ACE - Expert

 • 

34.7K Messages

10 years ago

Have you tried to access your router from the outside using SSL?

 

Tutor

 • 

3 Messages

10 years ago

I am really conserned because my At&t router says that it is running FreeBSD and using OpenSSL in the Acknowledgements page of the user interface.  

 

From the router Acknowledgment page...

"FreeBSD

The compilation of software known as FreeBSD is distributed under the following terms:

Copyright (C) 1992-2007 The FreeBSD Project. All rights reserved..."

 

"openssl

Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved..."

 

Is there any way to see what versions of these libraries/software are running on the device?  I get the sense the At&t chat personnel are clueless.

Tutor

 • 

2 Messages

10 years ago

Thanks Jeffer, but, no, I'm really not very knowledgeable about networking.  I can say I'm unable to log in to the router when I'm not on the wifi network. I'm just hoping either ATT or pace eventually make a clear statement about this.

 

 

Tutor

 • 

1 Message

10 years ago

I have a Motorola NVG510 Router.  I located the user manual on it from FCC. (you have to dig it up)    It appears to have 2 build ups , one with OpenSSL.   Each router has software  and one would assume it can be patched if it does.  The Motorola Router has a webpage for trouble shooting and user administration.   But we can't get into the "Shell".  It appears that Att sells routers to their customers from different manufacturers.   I spent 47 minutes (which I will never get back)  with their tech support line.  

 

Their engineers are not coming up with any good statements for the tech support people to use.   Some think this is just a website issue.  Some think if they tell us that their ATT servers are either a) never used it or b)  it's been fixed that will answer the question of the router on our self or in the back room of our business!!!    And some of them think it is a virus.   It is an error in code written for Open SSL 2 years ago.  It is not intentially malicious,  it produced an open door from which a hacker can extract  packets of data as often as they wish and the action is untraceable.  It is a valuable tool used in on-line services, sites, hardware, etc. hence the panic. 

 

All we want is a statement from ATT with a list of routers, indicating that they have or do not have Open SSL from that batch coded in the last 2 years.  And if it does, can it be patched.  And help the clueless tech support that answers the phone.   But Mr. Spock,  that would be logical.    

ACE - Expert

 • 

34.7K Messages

10 years ago

Just because it employs OpenSSL doesn't mean that it employs the affected versons.

Just because it employs the affected versions, doesn't mean the affected feature was enabled.

Just because the version and feature are enabled, doesn't mean it's exploitable.

 

Yes, it would be nice for AT&T to make a reassuring (or not) statement.  The fact that they haven't could mean:

  1. They haven't figured it out yet
  2. They're bungling customer communication again
  3. They know there's an issue, but they don't want to make an announcement until they've got a corrective measure in place, because they don't want to raise a red flag in front of the hacking community.

I know that the router does at least pass SSL through to the WAP for the wireless receivers; but I don't know whether the tunnel ends at the RG or the WAP.  I do know that you can reach the internal-facing web pages of the RG using SSL. So, yes, you could possibly mine the memory contents of your own RG.  If your own RG is not properly secured wirelessly (i.e. you don't have good security settings), then someone near your home could possibly do the same. 

 

It is probable that AT&T uses SSL to secure the communication stream it uses into the RG using a certificate to keep the SSL port secure.  My understanding is that the current vulnerability can be exploited between the initial connection request and before the client certificate must be presented, so I'm not 100% convinced that the RG is secure.

 

It would be nice to hear from AT&T on this ASAP.

 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.