Home > Cloud Computing > Cloud Security

Hackers can bypass VPN authentication by exploiting the heartbleed vulnerability.

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Researchers have just discovered another way to exploit the heartbleed vulnerability, where hackers can successfully bypass multi-step authentication measures and the VPN (Virtual Private Network) fraud detection mechanism.

When this major vulnerability of OpenSSL was exposed last week, the main harm of OpenSSL was to steal usernames, passwords, and encryption keys. Researchers have recently confirmed that this vulnerability can also be used to steal private keys in widely used OpenVPN and other VPN applications.

Researchers at the network security research company Mandiant said on Friday that the heartbleed vulnerability has been used to damage the VPN concentrator, this type of application usually provides users with a security measure to access the internal network of the Organization from outside. This type of device usually requires multi-step authentication before obtaining access permissions. In addition to passwords, other security tokens are required. However, the "heartbleed" vulnerability can break through this mechanism. Hackers discovered this attack in less than a day after the vulnerability was published.

Hackers did not try to intrude into the VPN through passwords or encryption keys, but focused on the session token set by the target concentrator. Many of these concentrator adopt the OpenSSL version with vulnerabilities. A hacker first sends a malformed "Heartbeat" request to the HTTPS network server on the VPN device. Because all the attacked VPN devices use the vulnerability OpenSSL, therefore, hackers can obtain an authorized user's Active session token. With an Active session token, attackers can successfully hijack multi-active user sessions and convince the VPN concentrator that the attacker has obtained legal authorization.

By analyzing IDS signatures and VPN logs, you can also prove the authenticity of the event. Mandiant said in his blog that since OpenSSL has been deeply rooted in every corner of the Internet, this vulnerability is extremely harmful and cannot be judged on how many methods can be used.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More