Heartbleed Update: OpenVPN isn't Safe, Either

As if the fact that the heartbleed bug wasn't already causing enough trouble for OPenSSL, it's a problem for OpenVPN, too. Just as hackers can exploit a code flaw in outdated versions of OpenSSL to potentially gain the secret keys to decrypt Internet traffic, they can do the same with OpenVPN, and one VPN operator has figured out exactly how it's done.

If your VPN server uses OpenSSL, like OPenVPN, it's a heart bleed targetIf your VPN server uses OpenSSL, like OPenVPN, it's a heart bleed target

OpenSSL is a system for encrypting communication between your computer and Internet servers. Heartbleed takes advantage of a code flaw in OpenSSL to trick the server into transmitting random parts of its own memory. Since that memory can include the secret keys for encrypting communications, hackers can potentially gain those and then decrypt anything they want from the server's communication stream.

Once hackers have access to those encryption keys, they can capture user names and passwords, credit card numbers, and any other information that's passing between users and servers. They can also impersonate users, or even set up their own servers that appear to be legit.

What a VPN provides is a way to create a private network connection to a server even when you're on a public network, like at Starbucks. Since OpenVPN uses the same faulty code, it's possible to decrypt what everyone assumed were secure and encrypted communication streams.

Fredrik Strömberg decided to see just what's involved in breaking into a VPN connection by taking advantage of heartbleed, so he set up a server to test. He managed to capture the server's private key, and then set up a second server that impersonates the original.

In a post on Hacker News, he said,

Our exploit is decently weaponized, and while the code is an abomination that even Eris would be embarrassed to present, we believe it may severely impact those who have not already upgraded. Therefore, we will not be publishing the code. Nevertheless, you should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN. Just to be clear, we don't intend to use this exploit ourselves. We merely developed it to examine the practical impact on OpenVPN as part of our incident investigation.

The fix for the OpenVPN flaw is the same as OpenSSL: Server administrators need to update their OpenSSL installation to version 1.0.1g, revoke their current certificates, and have new certificates issued. After that, it's up to end users to change their login passwords just to be safe because there isn't a direct way to detect whether or not the original server security keys were compromised.

Hacking into a VPN with heartbleed isn't exactly trivial, so it isn't like every OpenVPN connection will be compromised. Even still, if one group has figured out how to weaponize the exploit for OpenVPN, it's a safe bet others have, too. It's also possible that other VPN systems that rely on OpenSSL are vulnerable to heartbleed.

On the upside, OpenVPN connections that rely on TLS instead of SSL aren't susceptible to the code bug. Also, as system administrators continue to update their OpenSSL implementations, the threat heartbleed poses will start to diminish.

For now, it's up to system administrators to update OpenSSL, and third-party OpenVPN app developers will have to do the same, too.