Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Contributor

Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Is the 3600HGV (software 6.9.1.42-plus.tm) affected by this vulnerability?

Message 1 of 19 (5,837 Views)

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

It has nothing to do with the router you are using, it's the web sites that you visit that require logins.

” Auto racing, bull fighting, and mountain climbing are the only real sports … all others are games.”- Ernest Hemingway
Message 2 of 19 (5,680 Views)
Highlighted
ACE - Expert

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

While the biggest problem may be the server sites, most routers (including the RG) have built in web pages and could use SSL; they could have these vulnerabilities which could be exploited if they have an outward facing port that allows an SSL connection.

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 3 of 19 (5,647 Views)
ACE - Expert

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

An article with a little bit of information (and more hype):

 

http://mashable.com/2014/04/10/heartbleed-networking-routers/

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 4 of 19 (5,041 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

If anyone knows at ATT, they aren't tellIng.  I actually foolishly called into tech support to ask.  I was first told by the tech that Yahoo had patched everything.  Err no, I'm talking about the physical router I have and the software that came with it.  The tech then responded that ATT had updated my software automatically.  I doubted that very much so I asked how that could be verified and he told me to sign into the router and I'd see the software had been updated in the last couple of days.  I asked what version of the software I should look for.  Which version specifically had been patched for the heartbleed vulnerability.  He had no answer.  And, big surprise, my software is the same version it was about a year ago: 6.9.1.42-plus.tm So, i don't think there is a clear answer at this point.

Message 5 of 19 (4,699 Views)
ACE - Expert

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Have you tried to access your router from the outside using SSL?

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 6 of 19 (4,576 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

I am really conserned because my At&t router says that it is running FreeBSD and using OpenSSL in the Acknowledgements page of the user interface.  

 

From the router Acknowledgment page...

"FreeBSD

The compilation of software known as FreeBSD is distributed under the following terms:

Copyright (C) 1992-2007 The FreeBSD Project. All rights reserved..."

 

"openssl

Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved..."

 

Is there any way to see what versions of these libraries/software are running on the device?  I get the sense the At&t chat personnel are clueless.

Message 7 of 19 (4,475 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Thanks Jeffer, but, no, I'm really not very knowledgeable about networking.  I can say I'm unable to log in to the router when I'm not on the wifi network. I'm just hoping either ATT or pace eventually make a clear statement about this.

 

 

Message 8 of 19 (4,464 Views)

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

I have a Motorola NVG510 Router.  I located the user manual on it from FCC. (you have to dig it up)    It appears to have 2 build ups , one with OpenSSL.   Each router has software  and one would assume it can be patched if it does.  The Motorola Router has a webpage for trouble shooting and user administration.   But we can't get into the "Shell".  It appears that Att sells routers to their customers from different manufacturers.   I spent 47 minutes (which I will never get back)  with their tech support line.  

 

Their engineers are not coming up with any good statements for the tech support people to use.   Some think this is just a website issue.  Some think if they tell us that their ATT servers are either a) never used it or b)  it's been fixed that will answer the question of the router on our self or in the back room of our business!!!    And some of them think it is a virus.   It is an error in code written for Open SSL 2 years ago.  It is not intentially malicious,  it produced an open door from which a hacker can extract  packets of data as often as they wish and the action is untraceable.  It is a valuable tool used in on-line services, sites, hardware, etc. hence the panic. 

 

All we want is a statement from ATT with a list of routers, indicating that they have or do not have Open SSL from that batch coded in the last 2 years.  And if it does, can it be patched.  And help the clueless tech support that answers the phone.   But Mr. Spock,  that would be logical.    

Message 9 of 19 (4,392 Views)
ACE - Expert

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Just because it employs OpenSSL doesn't mean that it employs the affected versons.

Just because it employs the affected versions, doesn't mean the affected feature was enabled.

Just because the version and feature are enabled, doesn't mean it's exploitable.

 

Yes, it would be nice for AT&T to make a reassuring (or not) statement.  The fact that they haven't could mean:

  1. They haven't figured it out yet
  2. They're bungling customer communication again
  3. They know there's an issue, but they don't want to make an announcement until they've got a corrective measure in place, because they don't want to raise a red flag in front of the hacking community.

I know that the router does at least pass SSL through to the WAP for the wireless receivers; but I don't know whether the tunnel ends at the RG or the WAP.  I do know that you can reach the internal-facing web pages of the RG using SSL. So, yes, you could possibly mine the memory contents of your own RG.  If your own RG is not properly secured wirelessly (i.e. you don't have good security settings), then someone near your home could possibly do the same. 

 

It is probable that AT&T uses SSL to secure the communication stream it uses into the RG using a certificate to keep the SSL port secure.  My understanding is that the current vulnerability can be exploited between the initial connection request and before the client certificate must be presented, so I'm not 100% convinced that the RG is secure.

 

It would be nice to hear from AT&T on this ASAP.

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 10 of 19 (4,158 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

This is my worry.  The router does have the flaw or At&t's management software has the flaw.  At&t must use ssl to secure its connection to the routers and must have connected to them in the past 2 years (updates etc).  Was someone listening or capturing packets?  Do they now have the certificates for a number of or all end routers (I'd bet they use a couple hundred certs and apply them to thousands of devices) or worse yet was at&t's management software compromised; giving open access to all routers? 

 

With access to the router anything can be done.  Its not simply, oh well your router is compromised. Its lets patch these router so that all traffic gets sent to a nefarious server or lets listen in on the VoIP conversations or lets mine all traffic for 16 digit credit card numbers or 9 digit socials or read email or make a botnet or find open file shares and modify files or find ip webcams and see/hear what is going on or you name it!

 

We need an official reponse!

 

 

Message 11 of 19 (4,143 Views)
ACE - Expert

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?


XiozTzu wrote:

...

 

"openssl

Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved..."

 

...


If this copyright date is accurate, then you have nothing to worry about.  The affected code wasn't submitted until 2011.

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 12 of 19 (4,004 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

Maybe but until they tell us the version on these boxes I will not be happy.  A copywrite notice is not a code version number.  

 

It's simple... The box says it is using openSSL so At&t needs to give us a definitive response that confirms it is secure. 

Message 13 of 19 (3,883 Views)
Community Manager
Solution
Accepted by ATTJulieCS (Community Support)
‎09-30-2015 1:39 AM

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?

We have found no issues due to the bug, but will continue to monitor.

 

More info here: http://blogs.att.net/consumerblog/story/a7795231


Rethink Possible


Did a post have a solution that worked for you? Help other people find solutions faster by marking posts that helped you as an "Accepted Solution". Learn about accepted solutions: Learn More.

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 14 of 19 (3,419 Views)
Tutor

Re: Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?


ATTDmitriyCM wrote:

We have found no issues due to the bug, but will continue to monitor.

 

More info here: http://blogs.att.net/consumerblog/story/a7795231


Well, that's not what I am reading there.

 

"We have done a review of our systems and found no evidence that the Heartbleed vulnerability has been exploited in our infrastructure or service components. We’ll continue to work with our vendors as they complete their own security assessments and provide updates to appropriate software. As always, we recommend customers carefully monitor their accounts and regularly change their passwords."

 

 

No evidence that it has been exploited? I wouldn't expect them to find evidence of exploitation since exploitation leaves no trace, no log, of its use.

 

Word games. Word games that mislead customers. Very irresponsible, in my opinion. Add to that the apparent fact that vendors haven't even completed their review and I'd say that Blog post is useless. Worse than useless, dangerous.

 

I would say that I'm disappointed, but that would imply that I expect a giant corporation like AT&T to actually care about it's customer's welfare. It doesn't, and I know that.

 

 

Message 15 of 19 (3,392 Views)
Share this topic
Announcements

Welcome to the internet boards! Check out our troubleshooting articles below and don’t forget to search the forums - your question may have been answered already!

Service acting up? Click here to troubleshoot now!

Additional Support