HeartBleed Logo

Tests prove Heartbleed bug exposes OpenVPN private keys

The Heartbleed bug exposes the private encryption keys of virtual private network (VPN) servers running the OpenVPN application with a vulnerable version of OpenSSL, a Swedish VPN service warns. Last week, developers who maintain the open-source OpenVPN software warned of the vulnerability, which has now been confirmed by VPN service provider Mulvad.

“We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,”

–  Mulvad co-founder Fredrik Strömberg in a Hacker News blog post.

The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11.

“The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”.

Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability.

According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should:

  1. Update the OpenSSL library
  2. Revoke the old private keys
  3. Generate new private keys
  4. Create certificates for the new private keys
Advertisements

Share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s