There is a new security vulnerability affecting VPN users called “Heartbleed” making its way across the internet, which has to do with the handling of OpenSSL (more specific information is below). The purpose of this blog post is to share information about the vulnerability and to address any concerns that might exist with IMAGINiT's Clarity Connect software and the VPN tunnel that it uses to connect multiple firms, enabling better live Revit project collaboration.
While Clarity Connect's VPN utilizes OpenSSL, Clarity Connect (and its users) are not affected by the Heartbleed vulnerability. If you are using Clarity Connect and the Clarity Connect VPN, there is nothing you need to do. However, if you are using an alternate VPN solution, please be sure your VPN solution is patched to address this security bug.
IMAGINiT Clarity Connect is not affected by the Heartbleed vulnerability becuse it uses an older version of the OpenVPN application/OpenSSL library that does not have this vulnerability. You can find more information here:
https://community.openvpn.net/openvpn/wiki/heartbleed
(IMAGINiT Clarity Connect bundles OpenVPN 2.2.1, which includes OpenSSL 1.0.0d).
You can read more about the Heartbleed OpenSSL Bug here:
http://www.zdnet.com/what-programs-are-critical-infrastructure-7000028241/?s_cid=e539&ttag=e539&ftag=TRE17cfd61
OpenSSL Bug reported:
https://www.openssl.org/news/secadv_20140407.txt
Heartbleed bug
On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat.
The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.
The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.
If you made it this far, thanks for taking the time to review the information provided here and rest assured that Clarity remains secure!
Be safe out there.
Joe