The HeartBleed vulnerability exposes the OpenVPN private key.

The impact of the HeartBleed vulnerability on Heartbleed continues to expand. People thought last week that HeartBleed was only a nightmare for web servers, but over time, the threat of Heartbleed to enterprise intranet and data security is truly exposed, resulting in greater losses than web Services, and the repair is more difficult and long.

According to Ars, researchers have recently completed the verification attack and successfully extracted the encrypted private key from the VPN Service Running OpenVPN. This means that the Heartbleed vulnerability will affect the VPN supplier running OpenVPN.

OpenVPN is an open-source VPN software, and its default encryption library is OpenSSL. The developer responsible for maintaining OpenVPN has previously warned that the private key in the OpenVPN session will be affected by the heartbleed vulnerability. However, this statement was not verified until last Wednesday. Fredrik Str ömberg, a Swedish VPN service administrator, demonstrated the Heartbleed attack on a test server.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Str ömberg pointed out that it is more difficult to steal the private key from the OpenVPN server than to steal the private key from the Web server because the OpenVPN traffic is encapsulated in the encrypted HTTPS traffic of a specific OpenVPN container, to steal the private key, you must first separate the TLS data in the OpenVPN data packet.

In order to reconstruct the private key, attackers need to exploit the vulnerability to repeatedly send requests to the server to obtain a large amount of memory data. The strömberg who completed the verification test refused to disclose the specific numbers of the desired data size, but it is disclosed between 1 and 10 Gb. Str ömberg also said it would not publish or use the attack verification program code that can already be used for actual attacks.

The test environment of strömberg is Ubuntu12.04, OpenVPN2.2.1, and OpenSSL1.0.1 on KVM virtual machines. But Str ömberg said he suspected that all OpenVPN versions that use the vulnerability have similar vulnerabilities.

For many small and medium-sized enterprises that adopt OpenVPN, the good news is that the OpenVPN service that enables TLS Transport Layer Security Authentication will not be affected, because TLS authentication uses a separate private key to authenticate TLS packets. (Editor's note: security issues of SSL/TLS should also be paid attention)

For enterprise intranet information security managers, it is longer and more difficult to fix the Heartbleed vulnerability, resulting in greater losses than external websites. Rob Seger, security engineer at Palo alto networks, believes that almost all web services, FTP, VoIP phones, printers, and VPN servers/clients on the Intranet may be affected by this Heartbleed vulnerability, for large enterprises, the repair period is at least 4-5 years.

In addition, a large number of devices that cannot obtain patch updates from the manufacturer will have to be eliminated.

Worse, Heartbleed has no less impact on security management such as data leakage protection of enterprises than 911 on the security inspection system of the aviation industry. George Baker, Director of Security Service Company Foreground security management, believes that the Heartbleed vulnerability will force enterprises to fully review and strengthen their intranet security infrastructure using SSL, from VoIP to VPN to printer, vulnerabilities related to Heartbleed pose unprecedented threats to advanced and phishing attacks on enterprise data.

For more information about Heartbleed, click here.
Heartbleed: click here

This article permanently updates the link address: