[Ach] 'Heartbleed' and OpenVPN

René Pfeiffer lynx at luchs.at
Wed Apr 9 15:46:05 CEST 2014 

On Apr 09, 2014 at 1458 +0200, Ralf Schlatterbeck appeared and said:
> On Tue, Apr 08, 2014 at 12:45:23PM +0200, René Pfeiffer wrote:
> > On Apr 08, 2014 at 1239 +0200, Aaron Zauner appeared and said:
> > > https://gist.github.com/takeshixx/10107280
> > 
> > Hm, since the OpenVPN servers configure with TLS Auth do not respond to not
> > authenticated packets, I believe the test tools and attacks fail.
> 
> How is the status with openvpn, does test-code exist?

Haven't found one yet.

> Am I vulnerable if I trust all my clients, or put another way, is this
> exploitable when the attacker doesn't have a valid certificate?

I believe that everything discussed for SSL/TLS applies to OpenVPN as well.

>> UDP server should verify each incoming packet against a HMAC (when
> configured), so would such a setup be vulnerable?
> 
> How about tcp?

Packet verification is only done when the tls-auth option is used. I use
tis everywhere (as the OpenVPN documentation suggests), but I know that
some/most/many people don't.

If you have enabled tls-auth, then the OpenVPN won't talk to you unless you
use the tls-auth shared key (this is something I wanted to add to the ACH
guide in December 2013, but my changes got lost by troubles with the git
repositories). This means that only valid clients (or attackers with a
stolen configuration) can attack.

> https://community.openvpn.net/openvpn/wiki/heartbleed
> is very vague in this regard.

Yes, but they clearly state that OpenVPN is affected. And there is the
paragrpah about TLS-auth:

„Do TLS-auth keys protect my setup?

To some extent. You are strongly encouraged to use TLS-auth keys. In this
scenario an attacker can not attack openvpn instances without the TLS-auth
key.…“

Best,
René.

-- 
  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140409/87244d39/attachment.sig>

More information about the Ach mailing list