Page 1 of 1
URGENT: OpenVPN software needs to be fixed due to this bug
Posted: Tue Apr 08, 2014 9:14 am
by innogen
On behalf of users of OpenVPN software, I request its developers (such as Samuli) to quickly fix the OpenSSL bug present in the current version of OpenVPN (Community Edition), which is 2.3.2-I003.
The exploit is
very serious and has been out in the wild for over two years now (see
http://heartbleed.com/)
For further information about the exploit, see:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-0160
http://www.openssl.org/news/secadv_20140407.txt
There is no time to lose now.
OpenVPN developers should also seriously consider whether they ought to provide a fix for the vulnerability discovered by Tor developers (see my other post on
topic15306.html)
On behalf of users of OpenVPN software, I thank in advance for the developers' sense of responsibility and commitment to making their software secure and robust.
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 9:37 am
by nrUCm
as far as i can tell, people that have been using the additional TLS-Auth option should be safe, correct?
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 12:15 pm
by innogen
nrUCm wrote:as far as i can tell, people that have been using the additional TLS-Auth option should be safe, correct?
No. TLS and OpenSSL are two different concepts.
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 12:18 pm
by innogen
At the time of this writing ALL *nix distros have already issued patches to fix the security flaw.
We will see how long OpenVPN developers take to issue a fix.
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 12:45 pm
by nrUCm
but shouldn't that option stop anything reaching the TLS handshake layer?
see
https://openvpn.net/index.php/open-sour ... l#security
please note that i am not trying to correct you; i simply do not know...
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 1:29 pm
by innogen
Look, a majority of OpenVPN users do not use tls-auth option.
Besides a cardinal rule in developing software is to patch security holes when the latter are discovered. It will instill in users confidence in using the product, am I right? (As long as OpenVPN makes use of OpenSSL, the former should issue fixes.)
Re: URGENT: OpenVPN software needs to be fixed due to this b
Posted: Tue Apr 08, 2014 4:05 pm
by aperson
innogen wrote:Look, a majority of OpenVPN users do not use tls-auth option.
I do use the tls-auth option and am trying to determine exploitability. Upgrading all users would be a significantly disruptive task, and if it can be performed in a more controlled and less hectic manner it will be a better experience for everyone.
The literature I found online indicates the _server_ would be protected from the client when it is used, but I am not 100% certain.
What I am even less certain of is if the _client_ is protected from a malicious server who attempts to exploit it before the handshake completes. Are all of the server's handshake messages similarly protected for the client?