OpenVPN successfully compromised through Heartbleed

Passions over the newly discovered Heatbleed vulnerabilities in OpenSSL do not subside. Yesterday a message appeared on the news.ycombinator.com portal that researchers managed to make several successful attacks on the OpenVPN server and compromise the private key used by the server to decrypt the traffic sent by the client.

OpenVPN server by exploiting the Heartbleed Bug. It’s not a problem.

As you may know, OpenVPN has an SSL / TLS mode where certificates are used for authentication. OpenVPN multiplexes for SSL / TLS session used for authentication and key exchange. The default TLS library for OpenVPN is OpenSSL.

')


Previously, OpenVPN developers have already warned users that the product uses the OpenSSL library and is vulnerable to this attack. But until yesterday there was no public information that the attack could really be successfully implemented. Researchers have demonstrated the ability to forge a remote server through the obtained private key, as well as to decrypt using it the data passing between the real VPN server and the user himself.

The following server test configuration was used to carry out the attack: Ubuntu 12.04 OS (virtualization via KVM) OpenVPN 2.2.1 and OpenSSL 1.0.1-4ubuntu5.11.

However, it should be clarified that such an attack will not work against sessions with the TLS authentication option enabled, since in this case a separate private key is used to encrypt the traffic.

This is a risk of minimalism. It is unlikely that you can use this option. The channel is not the same as the web services themselves. And it’s not even the case that it has been used for the. I’m going to release 2.0.7 soon, which will incorporate updated clients as well.