The Heartbleed bug exposes the private encryption keys of virtual private network (VPN) servers running the OpenVPN application with a vulnerable version of OpenSSL, a Swedish VPN service warns. Last week, developers who maintain the open-source OpenVPN software warned of the vulnerability, which has now been confirmed by VPN service provider Mulvad.
“We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,”
– Mulvad co-founder Fredrik Strömberg in a Hacker News blog post.
The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11.
“The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”.
Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability.
According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should:
- Update the OpenSSL library
- Revoke the old private keys
- Generate new private keys
- Create certificates for the new private keys