LogMeIn and OpenSSL

UPDATED

As you may be aware, a major vulnerability has recently been discovered for OpenSSL, the popular encryption software that powers 2/3 of the web.  Some LogMeIn services and products rely on OpenSSL.

We take the security of our customer data very seriously and at this time have no evidence of any compromise, but like many web companies, our security team took immediate action to proactively address the issue.

We’ve already updated many products and parts of our services that rely on OpenSSL, and are in the process of updating all remaining aspects of our services that leverage OpenSSL.

In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users and will provide product-specific updates if and when necessary.

Update:

We’ve completed key updates to impacted products and services, including replacing certificates on the affected servers.  Below is a list of products impacted, steps taken and recommended customer actions.

NOT impacted by the OpenSSL vulnerability: LogMeIn Rescue, join.me, Hamachi and AppGuru

Impacted and updated:

LogMeIn Free, LogMeIn Pro, LogMeIn Central — LogMeIn hosts have been updated.  Please see this related blog post and FAQ for specifics on the update and additional recommended actions.

BoldChat — Updated. We recommend BoldChat users change their BoldChat password.

Cubby — Updated. We’re recommending that Cubby users change their login password.

    
Sandor Palfy

Written by

Sandor is the Chief Technology Officer of the Identity & Access Business Unit at LogMeIn.

16 thoughts on “LogMeIn and OpenSSL

  1. It seems .. when the damage is done, just upgrading and updating will not be enough. What is LogMeIn doing to REBUILD security?

    • Have they fixed the issue yet?
      What do we need to do on our end?
      – update the version running?
      – Change our masterpassword?
      – change passwords to individual computers?

    • Willem –

      I have to ask, what do you mean by REBUILD security? Actual exploitation of this vulnerability has not been identified yet (as far as I know) and patching the vulnerability does remove the problem. It does require a reissuing of keys and it is a good idea to change your password on your LogMeIn account and other sites affected by this, like Facebook. I’m curious what “rebuild” means because I would imagine you would apply that to Facebook and other sites this may have affected, correct?

    • OK Sandor, I have reached my breaking point.

      5 Days.

      5 Days, we have waited. 5 Days and NO STATUS. No notification of which products are secure.

      You Said:
      We’ve already updated many products and parts of our services that rely on OpenSSL, and are in the process of updating all remaining aspects of our services that leverage OpenSSL.

      What kind of sidestepping BS is this?

      I call up Support and they don’t know the status of ANYTHING. I had to work out THROUGH THE FRIGGIN COMMUNITY that LogMeIn ITSELF is secure because we got a damn HEX editor and opened the openssl.exe file and found that it was 1.0.1f, then an update came through and it was 1.0.1g. Why is it that I am figuring this out with a RANDOM DUDE in a DISCUSSION BOARD????? Shouldn’t I be getting updates to, at least, my SIGN ON EMAIL ADDRESS??? or better yet…. HOW ABOUT THE DAMN MAIN PAGE OF YOUR WEBSITE???

      I asked to talk with the Product Manager for Hamachi, so maybe I could ask him/her if the product has been secured, but the support rep DIDN’T EVEN KNOW THE NAME OF THE PERSON!!

      This kind of behavior is completely unacceptable. What kind of outfit are you running Sandor? Do you have control over the product managers? Get these turkeys in a room and GRILL THEM.

      One question needs to be answered by EACH product manager
      “Is your product secured?” Answer YES or NO only.

      Post a list up and we will all STOP CALLING AND GETTING PISSED OFF. And the love of Christ, will you get the support personnel in on the whole information loop, please?

      Do you need me to come up there and take care of this for you? I’m in Connecticut… just one state away!! I’m sure there are a LOT of your customers that are senior technicians and network security engineers that would JOIN ME in coming up there and helping you out to get things in order.

  2. Dear Sandor Palfy,

    It would have much more transparent and trustworthy if you LISTED the products that are patched and deemed OK to use. Some of us are GUIDING people along this process. We have had no guidance from you. Tech support reps had no clue what was going on, no stautuses, no info.

    Sorry to be snarky, but a 2 column list, Product oin the left, status on the right would be the best. When a status post raises more questions than it answers, its not a productive post.

    And furthermore, this really should be posted on the homepage also. Its OK to have been a victim of this vulnerability, but at least tell us how on-top-of-it you are. Our industry is nothing more than details-en-mass… without the details, we, and our customers, are lost adrift.

    -PCTrauma

  3. Is there possibility that secondary key-material was leaked? These are for example the user credentials (user names and passwords) used in the vulnerable services.

  4. What is the status for specific LogMeIn product? What is the status for Hamachi? It seems the client still uses the old, vulnerable OpenSSL version.

  5. It has been days since the discovery of this bug. The fix is pretty simple: Update the OpenSSL to the latest version and rekey all your SSL certificates. Why isn’t this done? Why don’t your support staff know the status of your systems? For a company that depends on security your failure to fix this in a timely manner and communicate clearly speaks volumes. This is a clear demonstration of how not to handle security and provide customer service. I believe the phrase is “epic fail”.

  6. Just to all those using Sonicwall products with Logmein sitting on the LAN side. This update brought down close to 50 of our stores as it was hammering the heck out of our Sonicwall TZ170s mostly, and pegged its CPU usage at 100%. Once we turned off External HTTPs usage the https connections back to logmein dropped and the problem disappeared. Basically we had an internal LAN DoS type attack caused by Logmein. Machines could NOT talk to each other because our router kept serving HTTPs connections to Logmein while they were ‘quietly’ patching the problem. We received close to 300 extra calls yesterday because of this! EPIC FAIL LOGMEIN!

  7. This is an unexpected response. I was excpecting we would be changing our logmein.com website password, but we’re being told to change the computer passwords!?

    1. Why are we not being told to change our logmein.com login credentials?

    2. How are local computer credentials compromised while the logmein.com credentials were not?

    3. Presumably if there are multiple users on on a computer the only credentials affected are the ones actually used to authenticate via a logmein session at any point in the past two years?

    4. Presumably a computer not in a logmein.com account now, but in one in the past 2 years would still need it’s credentials changed as it’s credentials are still “out there” and associated with your logmein.com login name.

    These directions are unlike any other company’s. I think a technical explanation from Logmein is in order here.

    • Eric,

      Logmein.com web servers don’t use OpenSSL, that is why web site logins are not affected.
      Hosts connect to a different set of servers. The affected version of OpenSSL was introduced 6 months ago.

      • So are the only credentials that are compromised are ones actually used to start logmein session in the past 6 months? Other user credentials on the computers are not affected?

  8. As a non-techie that has been using Logmein for the last ten years, I still only know what I need to know to access my home computer when I am away travelling. I have seen the notification email and am having difficulty upgrading my version – it keeps saying that it is available for download, but doesn’t.

    In addition to this, the discussion about OpenSSL is beyond me, however your answer Sandor on 14 April says you don’t use the offending OpenSSL but your website message reads as follows:

    —————————

    “OpenSSL, the platform where approximately two thirds of the internet operates, was vulnerable to an external security attack being commonly referred to as “Heartbleed”. Some LogMeIn services and products rely on OpenSSL, including LogMeIn Free and LogMeIn Pro, so we took this threat very seriously and acted immediately to address the issue.

    We have updated the LogMeIn host software and related services to close the vulnerability. Prior to this update, the username and password of the host Windows or Mac computer was potentially vulnerable to an attack during a remote session.”

    —————————

    I have no idea what any of this means, I just need to know:

    1. How do I download a new version
    2. Do I need to change my password

Comments are closed.