Contributor
•
1 Message
Heartbleed OpenSSL vulnerability and 2WIRE/Pace 3600HGV?
Is the 3600HGV (software 6.9.1.42-plus.tm) affected by this vulnerability?
Contributor
•
1 Message
Is the 3600HGV (software 6.9.1.42-plus.tm) affected by this vulnerability?
XiozTzu
Tutor
•
3 Messages
10 years ago
This is my worry. The router does have the flaw or At&t's management software has the flaw. At&t must use ssl to secure its connection to the routers and must have connected to them in the past 2 years (updates etc). Was someone listening or capturing packets? Do they now have the certificates for a number of or all end routers (I'd bet they use a couple hundred certs and apply them to thousands of devices) or worse yet was at&t's management software compromised; giving open access to all routers?
With access to the router anything can be done. Its not simply, oh well your router is compromised. Its lets patch these router so that all traffic gets sent to a nefarious server or lets listen in on the VoIP conversations or lets mine all traffic for 16 digit credit card numbers or 9 digit socials or read email or make a botnet or find open file shares and modify files or find ip webcams and see/hear what is going on or you name it!
We need an official reponse!
0
0
JefferMC
ACE - Expert
•
35K Messages
10 years ago
If this copyright date is accurate, then you have nothing to worry about. The affected code wasn't submitted until 2011.
0
0
XiozTzu
Tutor
•
3 Messages
10 years ago
Maybe but until they tell us the version on these boxes I will not be happy. A copywrite notice is not a code version number.
It's simple... The box says it is using openSSL so At&t needs to give us a definitive response that confirms it is secure.
0
noagenda
Tutor
•
4 Messages
10 years ago
Well, that's not what I am reading there.
"We have done a review of our systems and found no evidence that the Heartbleed vulnerability has been exploited in our infrastructure or service components. We’ll continue to work with our vendors as they complete their own security assessments and provide updates to appropriate software. As always, we recommend customers carefully monitor their accounts and regularly change their passwords."
No evidence that it has been exploited? I wouldn't expect them to find evidence of exploitation since exploitation leaves no trace, no log, of its use.
Word games. Word games that mislead customers. Very irresponsible, in my opinion. Add to that the apparent fact that vendors haven't even completed their review and I'd say that Blog post is useless. Worse than useless, dangerous.
I would say that I'm disappointed, but that would imply that I expect a giant corporation like AT&T to actually care about it's customer's welfare. It doesn't, and I know that.
0
0
JefferMC
ACE - Expert
•
35K Messages
10 years ago
Actually, that's not strictly true. A detailed log that shows the length of the response could indicate an issue. Yes, while you could use the exploit with small enough packets to fly under the radar, it makes it much less effective as a tool to mine information. In any case, most web sites are not going to keep detailed logs around for the years they would need to, and many servers wouldn't have logs at all.
However, large corporations are eat up with lawyers and what you're seeing is probably more than counsel wanted them to say.
0
Cyberchipz1
Contributor
•
1 Message
10 years ago
Kudos! I understand what you're saying, and you appear well informed to the point of presenting all the possibilities. You don't negate the possibility we have an issue with our routers. I'm more concerned with someone accessing my system spoofing Microsoft Certs than I am my home router; that too doesn't exclude router vulnerabilities.
I have a Netgear(sic) B90-755025-15 router from AT&T and am concerned that updates to the router OS be done to patch things up; my router also indicates no patches in years and of course Netgear doesn't even acknowledge that router as theirs (for not so obvious reasons). I believe I read and discovered for myself the router is actually another discontinued brand.
This vulnerability has been around since 2011; and I've been complaining about the situation that lead up to Heartbleed for even longer than that. This one just seems to be the first one we've found in located in security. So far, I can only really testify that I am experiencing higher than normal internet slow down, which should improve once spring break and Easter vacation is over and the kiddies go back to school.
I think this particular vulnerability is being worked on, and probably since 2011. I know I don't release vulnerabilities to the public when I find them, for obvious reasons mentioned in an earlier post.
It came as no surprise to me that the first attack on my wife's old Windows XP machine was to Microsoft security essentials. I had to remove MSE to regain control of the machine, and have yet to reload it to see if it will work. Still, I think the only solution to Heartbleed is to remain vigilant, and fix problems as we find them.
The best advice I saw for consumers was: When a service you use informs you to change your password... do so... ASAP; and keep your system(s) up to date.
Kudos, and thanks again for your informed postings... I do hope that's a white hat I see on your head. 😉 Even the whitest hat appears smudged with a little dirt, when viewed up close.
0
0
red floyd
Contributor
•
1 Message
10 years ago
0
0
JefferMC
ACE - Expert
•
35K Messages
10 years ago
I believe I said that... 6 posts back:
http://forums.att.com/t5/Residential-Gateway/Heartbleed-OpenSSL-vulnerability-and-2WIRE-Pace-3600HGV/m-p/3940410
0
0