tunnelblick icon Tunnelblick free software for OpenVPN on OS X and macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Frequently Asked Questions About the 2011-01-27 Vulnerability

On This Page
    What is the vulnerability?
    How can I protect my computer from this vulnerability?
    What versions of Tunnelblick are vulnerable?
    What versions of Tunnelblick are NOT vulnerable?
    What version of Tunnelblick do I have?
    Do I need to be running Tunnelblick to be vulnerable?
    Are uninstalled copies of Tunnelblick vulnerable?
    Are backup copies of Tunnelblick vulnerable?
    Does the vulnerability have anything to do with OpenVPN or OpenSSL?
    How was the vulnerability discovered?

What is the vulnerability?

On January 27, 2011, the following announcement was made:
A bug causing a security problem exists in Tunnelblick versions 3.1, 3.1.1, and 3.1.2. It allows an unprivileged user to erase the contents of any file, including important system files, on any Mac OS X system with a vulnerable version of Tunnelblick installed. As far as is known as of 2011-01-27, the bug cannot be used to take control of the system or obtain root access.

At this time, further details of the vulnerability are being witheld.

How can I protect my computer from this vulnerability?

  1. Update to the latest version of Tunnelblick as soon as possible:
    Note: you will need your computer's administrator password.
  • Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "Options", then click on "Check for Updates". You'll be guided through the update process.
  • If the "Options" or "Check for Updates" menu items are not available, you will need to do a manual installation:
    • Download the latest stable version from the Downloads page and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
    • If your version of Tunnelblick is installed in /Applications, double-click on the Tunnelblick icon. You will be guided through the update process.
    • Otherwise, drag the Tunnelblick icon to the folder in which Tunnelblick is installed and replace your current version.
  1. Make sure you do not have any copies (including backup copies) of vulnerable versions of Tunnelblick anywhere else on an internal hard drive.

What versions of Tunnelblick are vulnerable?

Versions 3.1, 3.1.1, and 3.1.2 are vulnerable.

What versions of Tunnelblick are NOT vulnerable?

The following versions of Tunnelblick are not vulnerable:

  • 3.1.3 and later
  • 2.0.1
  • 3.0.1
  • 3.0b10, 3.0b9, 3.0b8, and 3.0b7
  • All other 3.0 versions, including beta versions. However, all of these versions have another, different security vulnerability.

What version of Tunnelblick do I have?

  1. Find Tunnelblick.app (it is usually in the /Applications folder).
  2. Click on Tunnelblick.app to select it
  3. Click "File", then "Get Info". A window will appear with (among other things) version information.

If there is no version information, it is Tunnelblick version 3.0b9 or earlier.

Do I need to be running Tunnelblick to be vulnerable?

No, if a vulnerable version of Tunnelblick is installed, your computer is vulnerable.

Are uninstalled copies of Tunnelblick vulnerable?

No. Uninstalled copies (on a downloaded .dmg disk image or in a .zip archive, for example, or that have been copied from a disk image or expanded from an archive but never run) are not vulnerable.

Are backup copies of Tunnelblick vulnerable?

Backups on external or network drives are not vulnerable. Copies that have been restored from backup and are on internal drives are vulnerable. Backups on internal drives may be vulnerable.

Does the vulnerability have anything to do with OpenVPN or OpenSSL?

No, this is a vulnerability in Tunnelblick itself, not in OpenVPN or OpenSSL.

How was the vulnerability discovered?

It was discovered during a security audit by the current Tunnelblick developer.

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …