On 4/11/2014 9:57 AM, Tim Nelson wrote: > Hot on the heels of the OpenSSL debacle, and a fresh new release of > pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's > actual surface attack area. All of the relevant information, reports, > and PoC's are pointing at exploit only via an affected HTTPS webserver. > However, I have not yet seen any PoC for exploiting other SSL based > services, specifically OpenVPN. > > At this time, are there PoC's for Heartbleed and OpenVPN? I understand > regardless the upgrade/patch is needed, but curious to know if an > exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even > static keys).
Static keys were never vulnerable, nor is SSL/TLS when using a TLS Authentication Key unless the attacker has the key, in which case you probably have larger problems... or you're on a public VPN service that is running lots of people through common instances. https://community.openvpn.net/openvpn/wiki/heartbleed has more info. I also have yet to see a testing program/script/PoC that would get anything from OpenVPN. If anyone does know of one, we'd love to see it. Jim _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
