http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/
By Dan Goodin
Ars Technica
April 16, 2014
Private encryption keys have been successfully extracted multiple times
from a virtual private network server running the widely used OpenVPN
application with a vulnerable version of OpenSSL, adding yet more urgency
to the call for operators to fully protect their systems against the
catastrophic Heartbleed bug.
Developers who maintain the open source OpenVPN package previously warned
that private keys underpinning VPN sessions were vulnerable to Heartbleed.
But until Wednesday, there was no public confirmation such a devastating
theft was feasible in real-world settings, said Fredrik Strömberg, the
operator of a Sweden-based VPN service who carried out the attacks on a
test server. An attacker carrying out a malicious attack could use the
same exploit to impersonate a target's VPN server and, in some cases,
decrypt traffic passing between an end user and the real VPN server.
Wednesday's confirmation means any OpenVPN server—and likely servers using
any other VPN application that may rely on OpenSSL—should follow the
multistep path for recovering from Heartbleed, which is among the most
serious bugs ever to hit the Internet. The first step is to update the
OpenSSL library to the latest version. That step is crucial but by no
means sufficient. Because Heartbleed may have leaked the private key that
undergirds all VPN sessions, updated users may still be susceptible to
attacks by anyone who may have exploited the vulnerability and made off
with the key. To fully recover from Heartbleed, administrators should also
revoke their old key certificates, ensure all end user applications are
updated with a current certificate revocation list, and reissue new keys.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
