Highlighted Articles
News
Installing Tunnelblick
Uninstalling Tunnelblick
Setting up Configurations
Using Tunnelblick
Getting VPN Service
Common Problems
Configuring OpenVPN
Release Notes
Thanks
FAQ
Discussion Group
Read Before You Post
|
Frequently Asked Questions About the 2011-01-27 Vulnerability
On This Page
What is the vulnerability?
How can I protect my computer from this vulnerability?
What versions of Tunnelblick are vulnerable?
What versions of Tunnelblick are NOT vulnerable?
What version of Tunnelblick do I have?
Do I need to be running Tunnelblick to be vulnerable?
Are uninstalled copies of Tunnelblick vulnerable?
Are backup copies of Tunnelblick vulnerable?
Does the vulnerability have anything to do with OpenVPN or OpenSSL?
How was the vulnerability discovered?
What is the vulnerability?
On January 27, 2011, the following announcement was made:
A bug causing a security problem exists in Tunnelblick versions 3.1, 3.1.1, and 3.1.2. It allows an unprivileged user to erase the contents of any file, including important system files, on any macOS system with a vulnerable version of Tunnelblick installed. As far as is known as of 2011-01-27, the bug cannot be used to take control of the system or obtain root access.
At this time, further details of the vulnerability are being witheld.
How can I protect my computer from this vulnerability?
- Update to the latest version of Tunnelblick as soon as possible:
Note: you will need your computer's administrator password.
- Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "Options", then click on "Check for Updates". You'll be guided through the update process.
- If the "Options" or "Check for Updates" menu items are not available, you will need to do a manual installation:
- Download the latest stable version from the Downloads page and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
- If your version of Tunnelblick is installed in /Applications, double-click on the Tunnelblick icon. You will be guided through the update process.
- Otherwise, drag the Tunnelblick icon to the folder in which Tunnelblick is installed and replace your current version.
- Make sure you do not have any copies (including backup copies) of vulnerable versions of Tunnelblick anywhere else on an internal hard drive.
What versions of Tunnelblick are vulnerable?
Versions 3.1, 3.1.1, and 3.1.2 are vulnerable.
What versions of Tunnelblick are NOT vulnerable?
The following versions of Tunnelblick are not vulnerable:
- 3.1.3 and later
- 2.0.1
- 3.0.1
- 3.0b10, 3.0b9, 3.0b8, and 3.0b7
- All other 3.0 versions, including beta versions. However, all of these versions have another, different security vulnerability.
What version of Tunnelblick do I have?
- Find Tunnelblick.app (it is usually in the /Applications folder).
- Click on Tunnelblick.app to select it
- Click "File", then "Get Info". A window will appear with (among other things) version information.
If there is no version information, it is Tunnelblick version 3.0b9 or earlier.
Do I need to be running Tunnelblick to be vulnerable?
No, if a vulnerable version of Tunnelblick is installed, your computer is vulnerable.
Are uninstalled copies of Tunnelblick vulnerable?
No. Uninstalled copies (on a downloaded .dmg disk image or in a .zip archive, for example, or that have been copied from a disk image or expanded from an archive but never run) are not vulnerable.
Are backup copies of Tunnelblick vulnerable?
Backups on external or network drives are not vulnerable. Copies that have been restored from backup and are on internal drives are vulnerable. Backups on internal drives may be vulnerable.
Does the vulnerability have anything to do with OpenVPN or OpenSSL?
No, this is a vulnerability in Tunnelblick itself, not in OpenVPN or OpenSSL.
How was the vulnerability discovered?
It was discovered during a security audit by the current Tunnelblick developer.
|