The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mick
Contributor
Contributor

Heartbleed bug and Netvanta 3120

Hi,

Should I be replacing my VPN SSL certificates as well as the device passwords immediately, or should I wait for a new firmware to come out first?

Regards,

Mick

Labels (1)
0 Kudos
4 Replies
Anonymous
Not applicable

Re: Heartbleed bug and Netvanta 3120

Hi mick:

I conducted testing today and found no AOS-based products to be vulnerable to Heartbleed.  I tested a few NetVanta switch and router products across a few R10+ and pre-R10 software versions without any vulnerability detected.  Perhaps ADTRAN will provide an official statement, but my own anecdotal testing turns up negative for AOS.  At least one other ADTRAN product is known to be vulnerable.

This does not mean that web servers behind an AOS firewall are safe.  If you have port-forwarding to an HTTPS server running a version of OpenSSL that is vulnerable, then that server needs to be patched.  The port-forwarding could be removed to block traffic as a short-term way to mitigate risk.

Best,

CJ

Re: Heartbleed bug and Netvanta 3120

Thanks CJ,

I also tested the 3120 using an online tester on ports 500 and 4500, but I am still not sure if it will leak its memory during a VPN session that uses certificates.

Regards,

Mick

Anonymous
Not applicable

Re: Heartbleed bug and Netvanta 3120

:

You can find out more information in regards to ADTRAN products affected by heartbleed through the recent ADTRAN Heartbleed Advisory.

General security advisories are also posted on our support community in the Security Advisories section.

Levi

Re: Heartbleed bug and Netvanta 3120

Thanks Levi, I saw the advisory when it went out.  I replaced the SSL certificates on the Netvanta and clients anyway, to be on safe side.