[Openvpn-announce] Ramifications on OpenVPN of OpenSSL security announcement
As many of you have probably noticed, the OpenSSL project released a security update today which fixes potential remote buffer overflows. What you may not have known is that the ASN1 parser bug was independently discovered in the process of stress testing OpenVPN, earning yours truly the dubious distinction of being acknowledged in the security advisory. So here's the scoop for OpenVPN users: (1) If you are using preshared static key mode, you are not vulnerable. (2) If you are using TLS mode with --tls-auth, you are not vulnerable. (3) If you are using TLS mode without --tls-auth, you may be vulnerable if you are also using --float. If you think you are vulnerable, the quickest fix is to start using --tls-auth, which was explicitly designed to protect against buffer overflows in OpenSSL by creating a two-tier authentication hierarchy that forces ALL incoming packets to authenticate via HMAC before they are passed on to the TLS code in OpenSSL. Think of it as a kind of MAC firewall. In general you should also consider downgrading privileges with --user and/or --group, to limit the damage that would be caused by a remote buffer overflow attack. If for whatever reason you must run as root, then consider using the --chroot option to lock the OpenVPN daemon into a restricted filesystem, so that a remote attack would not be able to modify sensitive files. Of course most systems have a lot of other apps and daemons that depend on OpenSSL so upgrading ASAP is probably the best course. James
[Openvpn-announce] Ramifications on OpenVPN of OpenSSL security announcement
As many of you have probably noticed, the OpenSSL project released a security update today which fixes potential remote buffer overflows. What you may not have known is that the ASN1 parser bug was independently discovered in the process of stress testing OpenVPN, earning yours truly the dubious distinction of being acknowledged in the security advisory. So here's the scoop for OpenVPN users: (1) If you are using preshared static key mode, you are not vulnerable. (2) If you are using TLS mode with --tls-auth, you are not vulnerable. (3) If you are using TLS mode without --tls-auth, you may be vulnerable if you are also using --float. If you think you are vulnerable, the quickest fix is to start using --tls-auth, which was explicitly designed to protect against buffer overflows in OpenSSL by creating a two-tier authentication hierarchy that forces ALL incoming packets to authenticate via HMAC before they are passed on to the TLS code in OpenSSL. Think of it as a kind of MAC firewall. In general you should also consider downgrading privileges with --user and/or --group, to limit the damage that would be caused by a remote buffer overflow attack. If for whatever reason you must run as root, then consider using the --chroot option to lock the OpenVPN daemon into a restricted filesystem, so that a remote attack would not be able to modify sensitive files. Of course most systems have a lot of other apps and daemons that depend on OpenSSL so upgrading ASAP is probably the best course. James