tunnelblick icon Tunnelblick free software for OpenVPN on OS X and macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Frequently Asked Questions About the 2011-12-19 Vulnerability

On This Page
    What is the vulnerability?
    How can I protect my computer from this vulnerability?
    What if I can't use the latest version?
    What version of Tunnelblick are vulnerable?
    What version of Tunnelblick do I have?
    Are there any exploits?
    Do I need to be running Tunnelblick to be vulnerable?
    Are uninstalled copies of Tunnelblick vulnerable?
    Are backup copies of Tunnelblick vulnerable?
    Does the vulnerability have anything to do with OpenVPN or OpenSSL?
    How was the vulnerability discovered?

What is the vulnerability?

On December 19, 2011, the following announcement was made:
A bug causing an exploitable security problem exists in Tunnelblick version 3.2beta36. It could allow an unprivileged user to gain root privileges on any Mac OS X system running the vulnerable version of Tunnelblick under certain conditions.

At this time, further details of the vulnerability are being witheld.

How can I protect my computer from this vulnerability?

Update to the latest version of Tunnelblick as soon as possible:
Note: you will need your computer's administrator password.

  • Update Tunnelblick 3.2beta16 and higher: Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "VPN Details;", then click on "Preferences", then click on "Check Now" under "Updates". You'll be guided through the update process.
  • Update Tunnelblick 3.2beta14 and lower, and all 3.1 versions: Launch your current version of Tunnelblick, click on the Tunnelblick icon in the menu bar, click on "Options", then click on "Check for Updates". You'll be guided through the update process.
  • If you are unable to update, you will need to do a manual installation:
    • Download the latest beta version from the Downloads page and double-click on the downloaded .dmg file. A new window will appear containing a Tunnelblick icon.
    • If your version of Tunnelblick is installed in /Applications, double-click on the Tunnelblick icon. You will be guided through the update process.
    • Otherwise, drag the Tunnelblick icon to the folder in which Tunnelblick is installed and replace your current version.

What if I can't use the latest version?

Anyone who can run the vulnerable version should be able to run version 3.2.

What version of Tunnelblick are vulnerable?

Only Tunnelblick version 3.2beta36 is vulnerable.

What version of Tunnelblick do I have?

  1. Find Tunnelblick.app (it is usually in the /Applications folder).
  2. Click on Tunnelblick.app to select it
  3. Click "File", then "Get Info". A window will appear with (among other things) version information.

If there is no version information, it is Tunnelblick version 3.0b9 or earlier.

Are there any exploits?

No exploits are known to be "in the wild" as of 2011-12-19.

Do I need to be running Tunnelblick to be vulnerable?

You need to be running Tunnelblick or OpenVPN under certain conditions.

Are uninstalled copies of Tunnelblick vulnerable?

No.

Are backup copies of Tunnelblick vulnerable?

No, not unless they are launched.

Does the vulnerability have anything to do with OpenVPN or OpenSSL?

No, this is a vulnerability in Tunnelblick itself, not in OpenVPN or OpenSSL.

How was the vulnerability discovered?

The current Tunnelblick developer discovered a bug, fixed it, and issued a new beta (3.2) which contains the fix.

  Deutsch     Français     中文(简体)     Русский     Español     日本語     …