+1 on hearing about an OpenVPN test.
On Fri, Apr 11, 2014 at 10:07 AM, Jim Pingle <[email protected]> wrote: > On 4/11/2014 9:57 AM, Tim Nelson wrote: >> Hot on the heels of the OpenSSL debacle, and a fresh new release of >> pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's >> actual surface attack area. All of the relevant information, reports, >> and PoC's are pointing at exploit only via an affected HTTPS webserver. >> However, I have not yet seen any PoC for exploiting other SSL based >> services, specifically OpenVPN. >> >> At this time, are there PoC's for Heartbleed and OpenVPN? I understand >> regardless the upgrade/patch is needed, but curious to know if an >> exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even >> static keys). > > Static keys were never vulnerable, nor is SSL/TLS when using a TLS > Authentication Key unless the attacker has the key, in which case you > probably have larger problems... or you're on a public VPN service that > is running lots of people through common instances. > > https://community.openvpn.net/openvpn/wiki/heartbleed has more info. > > I also have yet to see a testing program/script/PoC that would get > anything from OpenVPN. If anyone does know of one, we'd love to see it. > > Jim > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
