Heartbleed Update: OpenVPN isn’t Safe, Either

| Analysis

As if the fact that the heartbleed bug wasn't already causing enough trouble for OPenSSL, it's a problem for OpenVPN, too. Just as hackers can exploit a code flaw in outdated versions of OpenSSL to potentially gain the secret keys to decrypt Internet traffic, they can do the same with OpenVPN, and one VPN operator has figured out exactly how it's done.

If your VPN server uses OpenSSL, like OPenVPN, it's a heart bleed targetIf your VPN server uses OpenSSL, like OPenVPN, it's a heart bleed target

OpenSSL is a system for encrypting communication between your computer and Internet servers. Heartbleed takes advantage of a code flaw in OpenSSL to trick the server into transmitting random parts of its own memory. Since that memory can include the secret keys for encrypting communications, hackers can potentially gain those and then decrypt anything they want from the server's communication stream.

Once hackers have access to those encryption keys, they can capture user names and passwords, credit card numbers, and any other information that's passing between users and servers. They can also impersonate users, or even set up their own servers that appear to be legit.

What a VPN provides is a way to create a private network connection to a server even when you're on a public network, like at Starbucks. Since OpenVPN uses the same faulty code, it's possible to decrypt what everyone assumed were secure and encrypted communication streams.

Fredrik Strömberg decided to see just what's involved in breaking into a VPN connection by taking advantage of heartbleed, so he set up a server to test. He managed to capture the server's private key, and then set up a second server that impersonates the original.

In a post on Hacker News, he said,

Our exploit is decently weaponized, and while the code is an abomination that even Eris would be embarrassed to present, we believe it may severely impact those who have not already upgraded. Therefore, we will not be publishing the code. Nevertheless, you should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN. Just to be clear, we don't intend to use this exploit ourselves. We merely developed it to examine the practical impact on OpenVPN as part of our incident investigation.

The fix for the OpenVPN flaw is the same as OpenSSL: Server administrators need to update their OpenSSL installation to version 1.0.1g, revoke their current certificates, and have new certificates issued. After that, it's up to end users to change their login passwords just to be safe because there isn't a direct way to detect whether or not the original server security keys were compromised.

Hacking into a VPN with heartbleed isn't exactly trivial, so it isn't like every OpenVPN connection will be compromised. Even still, if one group has figured out how to weaponize the exploit for OpenVPN, it's a safe bet others have, too. It's also possible that other VPN systems that rely on OpenSSL are vulnerable to heartbleed.

On the upside, OpenVPN connections that rely on TLS instead of SSL aren't susceptible to the code bug. Also, as system administrators continue to update their OpenSSL implementations, the threat heartbleed poses will start to diminish.

For now, it's up to system administrators to update OpenSSL, and third-party OpenVPN app developers will have to do the same, too.

Popular TMO Stories



This is going to do a huge amount of damage to the Open-Source community and movement. I would expect to see a good number of corporations moving away from OS and toward commercial software because of Heartbleed, even though commercial is not necessarily any more secure. No matter what you’re running OS, MS, Oracle, or whatever, you need to keep it patched and up to date. You need to stay on top of security risks. You need to maintain your system. I expect however, to see a lot of bean counters just painting Open Source is bad on everything and moving on. Until the next MS or Adobe exploit nails them.



I have heard IT professionals opine that, if you’re on a widely used platform, proprietary or OS, but generally in reference to MS solutions, you have safety in numbers. As one put it, ‘Everyone is in the same boat’.

Although that strikes me as an unenlightened and non-viable oversimplification of safety in numbers, it has a superficially persuasive, even if disastrously incorrect, appeal at least for some.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account