Community discussions

 
zylantha
just joined
Topic Author
Posts: 11
Joined: Sat Oct 30, 2010 3:06 pm

Heartbleed vulnerability OpenSSL [RouterOS IS NOT affected]

Tue Apr 08, 2014 6:21 am

Does anybody know if RouterOS is affected by the Heartbleed vulnerability in OpenSSL and if so when it will be patched?

I presume that RouterOS uses OpenSSL for its encryption in for example SSTP VPN.
 
onnoossendrijver
Member
Member
Posts: 418
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 10:08 am

Quote from some time ago:
We don't use GnuTLS. We use OpenSSL which has no such problems

http://demo2.mt.lv/help/license.html
Seems like it's vulnerable.
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
nicklowe
just joined
Posts: 13
Joined: Thu Dec 26, 2013 5:06 pm

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 10:25 am

I asked about this issue in ticket #2014040866000258 as soon as I became aware of the vulnerability.

I will update back here when I hear anything from MikroTik.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 12:27 pm

ALL prior RouterOS releases (6.11 and older) are not affected by this vulnerability as older OpenSSL library where used.

In addition RouterOS 6.12 will have new OpenSSL library that has this vulnerability resolved.


Edited for clarity.
 
robertpenz
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 3:32 pm

Does this mean 6.x have the vulnerability and 5.x don't?
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Thu Nov 09, 2006 11:53 am

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 3:58 pm

[quote] all prior RouterOS releases are not affected by this issue as older OpenSSL libraries where used.
6.12 will have newer OpenSSL with this vulnerability patched. [/quote]

Is Router OS 6.x effected or not? And if so, where can I download Version 6.12 ?
 
nicklowe
just joined
Posts: 13
Joined: Thu Dec 26, 2013 5:06 pm

Re: Heartbleed vulnerability in OpenSSL - RouterOS affected?

Tue Apr 08, 2014 4:28 pm

I was told that:
all current released RouterOS versions are not affected by this issue. 6.12 will
have newer OpenSSL with this problem patched.
:)
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Heartbleed vulnerability in OpenSSL RouterOS IS NOT affe

Tue Apr 08, 2014 4:37 pm

my post in this thread was edited for clarity.

So, neither already released RouterOS versions is affected by this vulnerability. Not 6.x. Not 5.x.

And starting 6.12 we will have updated OpenSSL library that is not affected by it.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Heartbleed vulnerability in OpenSSL RouterOS IS NOT affe

Tue Apr 08, 2014 5:10 pm

So, neither if already released RouterOS versions is affected by this vulnerability. Not 6.x. Not 5.x.
Wow! At least as far as this vulnerability is concerned, that was some "The Matrix" style bullet dodging! Great job Neo... I mean, MikroTik. :lol:
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
nicklowe
just joined
Posts: 13
Joined: Thu Dec 26, 2013 5:06 pm

Re: Heartbleed vulnerability in OpenSSL RouterOS IS NOT affe

Thu Apr 10, 2014 11:48 am

[url=http://forum.mikrotik.com/viewtopic.php ... 18#p420218]And starting 6.12 we will have updated OpenSSL library that is not affected by it.
Does this mean that we will see TLS 1.2 support in 6.12?

Who is online

Users browsing this forum: No registered users and 75 guests