Important Update for LogMeIn Pro and Central users

As you may be aware, a major vulnerability has recently been discovered for OpenSSL, the popular encryption software that powers 2/3 of the web. Some LogMeIn services and products rely on OpenSSL, including the LogMeIn Free and Pro hosts used in our popular remote access products.

We take the security of our customer data very seriously and at this time have no evidence of any compromise, but like many web companies, our security team took immediate action to proactively address the issue.

We’ve updated the LogMeIn host and related services to close the vulnerability, and we’re advising that customers take the following precautionary steps:

1) Check to confirm you’re running on the latest version of LogMeIn.

You can do that by hovering your mouse over computers in your Central or My Computers page on the LogMeIn.com site

OR by right clicking on the LogMeIn icon in your systems tray and opening LogMeIn Control Panel and click on the About tab

openssl

Windows PC                                                              Mac

Confirm version number 4.1.0.4144 and above for Windows or version number 4.1.0.4145 and above for Mac

If you are using an older version, please click the Check Updates button in the LogMeIn Control Panel (as described above), and update the software.

2) Change your passwords on your Windows PCs or Macs.  This is the for the login credentials on the computers themselves.  You do not have to change your LogMeIn login password.

3) Take a minute to review our FAQ on the LogMeIn help site.

4) If you are a Pro user and use file share (“Share a file”), you should recreate your file share links; i.e. Delete any current/existing links and create new ones.

In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users, and will provide additional product-specific updates if necessary.

    
Akos Putz

Written by

Akos is the Product Owner of LogMeIn Pro.

12 thoughts on “Important Update for LogMeIn Pro and Central users

  1. I have and Facebook account but i don’t no my password i Forgot it can you text it to me thank you so Much

  2. What about LogMeIn Rescue? Is it affected? What about clients with unattended access enabled?

  3. What I don’t understand is how Host could even be vulnerable. The technical data on the Heartbleed OpenSSL vulnerability indicates that the hacker makes an incoming connection to exercise the exploit. LogMeIn Pro/Free Hosts only make an outgoing connection. Even if they use the defective version of OpenSSL, it would seem they couldn’t be exploited.

    It would seem to me LogMeIn would only be vulnerable on the Servers that LogMeIn maintains to accept the Host connection.

    Just trying to get a better feel for how vulnerable this makes the host system. If the host may have been compromised, should new computer access codes also be used?

    • Was the vulnerability actually on the LogMeIn servers, and the new LogMeIn Pro/Free version is just updating to a new certificate? I could see that being the reason for it needing to be updated, and I could see needing to change the O/S user password if it could have been compromised on the LogMeIn Servers through the authentication data that was sent through them from the remote to the host . Thanks!

      • Robert,

        Your assumptions are correct. However, we don’t want to take any chances.
        In this most recent release, we have updated the host to the latest version of OpenSSL, which fixes the vulnerability.
        With further changes coming soon, we are going to replace all critical client side elements of the communication between the server and the hosts, including client certificates.

  4. I’ve tried the steps you have here, but I get a message saying that no update is available even though the current version in the About tab shows to be 4.1.0.4132. We are running log me in pro.

  5. We need some more information on how this vulnerability could have been exploited. I have hundreds of PCs on my Central console, we cannot just be told to change the passwords on all of them without knowing the mechanism which would have harvested these passwords.

    None of my PCs are accessible from the Internet over HTTPS – they make an outgoing HTTPS call to logmein.

    So we can assume that the fact that logmein.com was vulnerable means that any PC connecting to them could have had their session on logmein’s servers available to be compromised.

    None of my machines are set to store passwords at Logmein. Or is it a case that all clients give their passwords to Logmein when connecting ?

    All my passwords are domain/PC type passwords. Do these need changing or is it just “personal passwords” set within logmein which are given up to logmein’s servers when connecting.

    If I have never accessed a machine could the password have been stolen ?

    MORE INFORMATION IS NEEDED – doing what is being suggested will take days and upset many of my customers and I need to know if there’s any point.

Comments are closed.