UPDATED
As you may be aware, a major vulnerability has recently been discovered for OpenSSL, the popular encryption software that powers 2/3 of the web. Some LogMeIn services and products rely on OpenSSL.
We take the security of our customer data very seriously and at this time have no evidence of any compromise, but like many web companies, our security team took immediate action to proactively address the issue.
We’ve already updated many products and parts of our services that rely on OpenSSL, and are in the process of updating all remaining aspects of our services that leverage OpenSSL.
In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users and will provide product-specific updates if and when necessary.
Update:
We’ve completed key updates to impacted products and services, including replacing certificates on the affected servers. Below is a list of products impacted, steps taken and recommended customer actions.
NOT impacted by the OpenSSL vulnerability: LogMeIn Rescue, join.me, Hamachi and AppGuru
Impacted and updated:
LogMeIn Free, LogMeIn Pro, LogMeIn Central — LogMeIn hosts have been updated. Please see related blog post for specifics on the update and additional recommended actions.
BoldChat — Updated. We recommend BoldChat users change their BoldChat password.
Cubby — Updated.
It seems .. when the damage is done, just upgrading and updating will not be enough. What is LogMeIn doing to REBUILD security?
Have they fixed the issue yet?
What do we need to do on our end?
- update the version running?
- Change our masterpassword?
- change passwords to individual computers?
Willem -
I have to ask, what do you mean by REBUILD security? Actual exploitation of this vulnerability has not been identified yet (as far as I know) and patching the vulnerability does remove the problem. It does require a reissuing of keys and it is a good idea to change your password on your LogMeIn account and other sites affected by this, like Facebook. I’m curious what “rebuild” means because I would imagine you would apply that to Facebook and other sites this may have affected, correct?
OK Sandor, I have reached my breaking point.
5 Days.
5 Days, we have waited. 5 Days and NO STATUS. No notification of which products are secure.
You Said:
We’ve already updated many products and parts of our services that rely on OpenSSL, and are in the process of updating all remaining aspects of our services that leverage OpenSSL.
What kind of sidestepping BS is this?
I call up Support and they don’t know the status of ANYTHING. I had to work out THROUGH THE FRIGGIN COMMUNITY that LogMeIn ITSELF is secure because we got a damn HEX editor and opened the openssl.exe file and found that it was 1.0.1f, then an update came through and it was 1.0.1g. Why is it that I am figuring this out with a RANDOM DUDE in a DISCUSSION BOARD????? Shouldn’t I be getting updates to, at least, my SIGN ON EMAIL ADDRESS??? or better yet…. HOW ABOUT THE DAMN MAIN PAGE OF YOUR WEBSITE???
I asked to talk with the Product Manager for Hamachi, so maybe I could ask him/her if the product has been secured, but the support rep DIDN’T EVEN KNOW THE NAME OF THE PERSON!!
This kind of behavior is completely unacceptable. What kind of outfit are you running Sandor? Do you have control over the product managers? Get these turkeys in a room and GRILL THEM.
One question needs to be answered by EACH product manager
“Is your product secured?” Answer YES or NO only.
Post a list up and we will all STOP CALLING AND GETTING PISSED OFF. And the love of Christ, will you get the support personnel in on the whole information loop, please?
Do you need me to come up there and take care of this for you? I’m in Connecticut… just one state away!! I’m sure there are a LOT of your customers that are senior technicians and network security engineers that would JOIN ME in coming up there and helping you out to get things in order.
Is there a need to change the password? Thnx.
So should we tell our users to start changing there passwords?
Dear Sandor Palfy,
It would have much more transparent and trustworthy if you LISTED the products that are patched and deemed OK to use. Some of us are GUIDING people along this process. We have had no guidance from you. Tech support reps had no clue what was going on, no stautuses, no info.
Sorry to be snarky, but a 2 column list, Product oin the left, status on the right would be the best. When a status post raises more questions than it answers, its not a productive post.
And furthermore, this really should be posted on the homepage also. Its OK to have been a victim of this vulnerability, but at least tell us how on-top-of-it you are. Our industry is nothing more than details-en-mass… without the details, we, and our customers, are lost adrift.
-PCTrauma
Is there possibility that secondary key-material was leaked? These are for example the user credentials (user names and passwords) used in the vulnerable services.
What is the status for specific LogMeIn product? What is the status for Hamachi? It seems the client still uses the old, vulnerable OpenSSL version.
Which products are affected and which have been patched?
It has been days since the discovery of this bug. The fix is pretty simple: Update the OpenSSL to the latest version and rekey all your SSL certificates. Why isn’t this done? Why don’t your support staff know the status of your systems? For a company that depends on security your failure to fix this in a timely manner and communicate clearly speaks volumes. This is a clear demonstration of how not to handle security and provide customer service. I believe the phrase is “epic fail”.
Just to all those using Sonicwall products with Logmein sitting on the LAN side. This update brought down close to 50 of our stores as it was hammering the heck out of our Sonicwall TZ170s mostly, and pegged its CPU usage at 100%. Once we turned off External HTTPs usage the https connections back to logmein dropped and the problem disappeared. Basically we had an internal LAN DoS type attack caused by Logmein. Machines could NOT talk to each other because our router kept serving HTTPs connections to Logmein while they were ‘quietly’ patching the problem. We received close to 300 extra calls yesterday because of this! EPIC FAIL LOGMEIN!