tunnelblick icon Tunnelblick free software for OpenVPN on OS X and macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Frequently Asked Questions About the 2011-01-12 Vulnerability

On This Page
    What is the vulnerability?
    How can I protect my computer from this vulnerability?
    What if I can't use the latest version?
    What versions of Tunnelblick are vulnerable?
    What versions of Tunnelblick are NOT vulnerable?
    What version of Tunnelblick do I have?
    Are there any exploits?
    Do I need to be running Tunnelblick to be vulnerable?
    Are uninstalled copies of Tunnelblick vulnerable?
    Are backup copies of Tunnelblick vulnerable?
    Does the vulnerability have anything to do with OpenVPN or OpenSSL?
    How was the vulnerability discovered?

What is the vulnerability?

On January 12, 2011, the following announcement was made:
A bug causing an exploitable security problem exists in Tunnelblick versions after 3.0b10 and prior to 3.1.1. It allows an unprivileged user to gain root privileges on any Mac OS X system with a vulnerable version of Tunnelblick installed.

At this time, further details of the vulnerability are being witheld.

How can I protect my computer from this vulnerability?

  1. Update to the latest version of Tunnelblick as soon as possible:
    Note: you will need your computer's administrator password.
  • Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "Options", then click on "Check for Updates". You'll be guided through the update process.
  • If the "Options" or "Check for Updates" menu items are not available, you will need to do a manual installation:
    • Download the latest stable version from the Downloads page and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
    • If your version of Tunnelblick is installed in /Applications, double-click on the Tunnelblick icon. You will be guided through the update process.
    • Otherwise, drag the Tunnelblick icon to the folder in which Tunnelblick is installed and replace your current version.
  1. Make sure you do not have any copies (including backup copies) of vulnerable versions of Tunnelblick anywhere else on an internal hard drive.

What if I can't use the latest version?

  1. Update to version 3.0.1, which is not vulnerable. It has been created for anyone who cannot use version 3.1.1 or later.
    Note: you will need your computer's administrator password.
  • Download Tunnelblick 3.0.1 and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
  • If your version of Tunnelblick is installed in /Applications, double-click on the Tunnelblick icon. You will be guided through the update process.
  • Otherwise, drag the Tunnelblick icon to the folder in which Tunnelblick is installed and replace your current version.
  1. Make sure you do not have any copies (including backup copies) of vulnerable versions of Tunnelblick anywhere else on an internal hard drive.

What versions of Tunnelblick are vulnerable?

All versions after 3.0b10 and before 3.1.1 except version 3.0.1.

What versions of Tunnelblick are NOT vulnerable?

The following versions of Tunnelblick are not vulnerable:

  • 3.1.1 and later
  • 3.0b10 and earlier
  • 3.0.1

What version of Tunnelblick do I have?

  1. Find Tunnelblick.app (it is usually in the /Applications folder).
  2. Click on Tunnelblick.app to select it
  3. Click "File", then "Get Info". A window will appear with (among other things) version information.

If there is no version information, it is Tunnelblick version 3.0b9 or earlier.

Are there any exploits?

No exploits are known to be "in the wild" as of 2011-01-12.

Do I need to be running Tunnelblick to be vulnerable?

No, if a vulnerable version of Tunnelblick is installed, your computer is vulnerable.

Are uninstalled copies of Tunnelblick vulnerable?

No. Uninstalled copies (on a downloaded .dmg disk image or in a .zip archive, for example, or that have been copied from a disk image or expanded from an archive but never run) are not vulnerable.

Are backup copies of Tunnelblick vulnerable?

Backups on external or network drives are not vulnerable. Copies that have been restored from backup and are on internal drives are vulnerable. Backups on internal drives may be vulnerable.

Does the vulnerability have anything to do with OpenVPN or OpenSSL?

No, this is a vulnerability in Tunnelblick itself, not in OpenVPN or OpenSSL.

How was the vulnerability discovered?

The current Tunnelblick developer discovered a bug, fixed it, and issued a stable release containing the fix without realizing that the bug was a security vulnerability. Subreption, LLC disclosed the security vulnerability aspect of the bug to the developer.

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …