As many of you have probably noticed, the OpenSSL project released a
security update today which fixes potential remote buffer overflows.

What you may not have known is that the ASN1 parser bug was independently
discovered in the process of stress testing OpenVPN, earning yours truly the
dubious distinction of being acknowledged in the security advisory.

So here's the scoop for OpenVPN users:

(1) If you are using preshared static key mode, you are not vulnerable.

(2) If you are using TLS mode with --tls-auth, you are not vulnerable.

(3) If you are using TLS mode without --tls-auth, you may be vulnerable if
you are also using --float.

If you think you are vulnerable, the quickest fix is to start
using --tls-auth, which was explicitly designed to protect against buffer
overflows in OpenSSL by creating a two-tier authentication hierarchy that
forces ALL incoming packets to authenticate via HMAC before they are passed
on to the TLS code in OpenSSL.  Think of it as a kind of MAC firewall.

In general you should also consider downgrading privileges with --user
and/or --group, to limit the damage that would be caused by a remote buffer
overflow attack.  If for whatever reason you must run as root, then consider
using the --chroot option to lock the OpenVPN daemon into a restricted
filesystem, so that a remote attack would not be able to modify sensitive

Of course most systems have a lot of other apps and daemons that depend on
OpenSSL so upgrading ASAP is probably the best course.


Reply via email to