On 04/11/2014 03:57 PM, Tim Nelson wrote: > Greetings- > > Hot on the heels of the OpenSSL debacle, and a fresh new release of > pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's > actual surface attack area. All of the relevant information, reports, > and PoC's are pointing at exploit only via an affected HTTPS > webserver. However, I have not yet seen any PoC for exploiting other > SSL based services, specifically OpenVPN. > > At this time, are there PoC's for Heartbleed and OpenVPN? I understand > regardless the upgrade/patch is needed, but curious to know if an > exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even > static keys). > > Thanks! > > --Tim > hi tim,
indeed, tcp connections (https) wee the easiest targets, but openvpn was compromised -- if you had an openvpn port open to the internet, you should take all the necessary measures. i am in the process (after having updated to 2.1.2) of replacing every certificate, and changing every password. massive work, but absolutely required -- the exploit was available for approximately two years. i am functioning on no sleep for the last three days, i cannot believe this happened. ouch m
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
