{"id":4098,"date":"2014-04-28T01:26:35","date_gmt":"2014-04-27T17:26:35","guid":{"rendered":"https:\/\/www.icocean.com\/blog\/?p=4098"},"modified":"2014-04-28T01:26:35","modified_gmt":"2014-04-27T17:26:35","slug":"openssl-vulnerability-heartbleed","status":"publish","type":"post","link":"https:\/\/www.icocean.com\/blog\/?p=4098","title":{"rendered":"OpenSSL vulnerability – Heartbleed"},"content":{"rendered":"

A vulnerability in OpenSSL, nicknamed Heartbleed, was published in April 2014 1<\/a>. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.<\/p>\n

What does this mean?<\/h2>\n

An attacker can trick OpenSSL into returning a part of your program memory. That memory contains your session keys (the keys used to encrypt your data), and usually your master secret key too. If your OpenVPN is or has been vulnerable to heartbleed you should consider your keys, and the traffic over the VPN tunnel, compromised.<\/p>\n

Am I affected too?<\/h2>\n

Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f.<\/p>\n

Has OpenVPN been successfully exploited?<\/h2>\n

This is very likely. On 16th April 2014 \u200b<\/span>a mail<\/a> was sent to openvpn-user list by Fredrik Str\u00f6mberg, who claimed the following:<\/p>\n

We have successfully extracted private key material multiple times\r\nfrom an OpenVPN server by exploiting the Heartbleed Bug. The material\r\nwe found was sufficient for us to recreate the private key and\r\nimpersonate the server.\r\n\r\n--- snip ---\r\n\r\n... you should assume that other teams with more nefarious purposes\r\nhave already created weaponized exploits for OpenVPN. Just to be\r\nclear, we don't intend to use this exploit ourselves. We merely\r\ndeveloped it to examine the practical impact on OpenVPN as part of\r\nour incident investigation.\r\n<\/pre>\n
More details in the \u200b<\/span>email thread<\/a>. The exploit has not yet been tested by anyone within the OpenVPN project, but we have to assume it is capable of doing what Fredrik claims.<\/p>\n
How do I fix this?<\/h2>\n
    \n
  1. Update your OpenSSL library<\/li>\n
  2. Revoke your old private keys<\/li>\n
  3. Generate new private keys<\/li>\n
  4. Create certificates for the new private keys<\/li>\n<\/ol>\n
    Is this for clients or servers?<\/h2>\n
    Both. Replace the keys for each peer that was active while linked against a vulnerable OpenSSL.<\/p>\n
    Are Android clients affected too?<\/h2>\n
    Android shipped OpenSSL 1.0.1 as of 4.1, but disable heartbeats since 4.1.2. That means only Android 4.1(.0) and 4.1.1 are vulnerable. There are app available to check your own device like \u200b<\/span>Heartbleed Detector<\/a>.<\/p>\n
    \u200b<\/span>A special version of OpenVPN for Android including a copy of OpenSSL<\/a> can be used on affected devices. This however still leaves all other apps\/services on the device vulnerable.<\/p>\n
    What about Tunnelblick for MacOS X<\/h2>\n
    Old versions for Tunnelblick are affected, but fixed versions \u200b<\/span>have been released<\/a>.<\/p>\n
    What about Windows clients?<\/h2>\n
    All official OpenVPN Windows client installers<\/a> are shipped with OpenSSL. However, only installer versions 2.3-rc2-I001<\/em> through 2.3.2-I003<\/em> ship a vulnerable version. Installer version 2.3.2-I004<\/em> fixes this vulnerability by bundling OpenSSL 1.0.1g. The fixed version can be downloaded from here<\/a>.<\/p>\n
    If you want to verify whether the version of OpenSSL in your OpenVPN installation is vulnerable, go to C:\\Program Files\\OpenVPN\\bin<\/em> using Windows Explorer, right-click on libeay32.dll<\/em>, click properties and check what Details -> Product Version<\/em> says.<\/p>\n
    Is Access Server affected?<\/h2>\n
    Short answer: yes.<\/p>\n
    All Access Server users are advised to \u200b<\/span>upgrade immediately<\/a> to Access Server 2.0.7. If you would like to patch the OpenSSL libraries for older versions of Access Server please \u200b<\/span>download the libs<\/a> for your distro and copy them into \/usr\/local\/openvpn_as\/lib.<\/p>\n
    For more information have a look at the OpenVPN Technologies’ official announcement<\/a>.<\/p>\n
    Are OpenVPN Connect clients affected<\/h2>\n
    It depends:<\/p>\n