Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Audit Finds Only One Severe Vulnerability in OpenVPN

Two teams of experts have conducted audits of the open-source virtual private network (VPN) application OpenVPN, including its use of cryptography, and they identified only one high severity vulnerability.

Two teams of experts have conducted audits of the open-source virtual private network (VPN) application OpenVPN, including its use of cryptography, and they identified only one high severity vulnerability.

One audit, conducted between December 2016 and February 2017, was carried out by cryptography expert Dr. Matthew Green and funded by Private Internet Access (PIA). Green and his team looked for both memory-related vulnerabilities (e.g. buffer overflows and use-after-free) and cryptographic weaknesses.

A security review of OpenVPN was also conducted by Quarkslab over a 50-day period between February and April, with funding from the Open Source Technology Improvement Fund (OSTIF). This audit focused on OpenVPN for Windows and Linux, the OpenVPN GUI, and the TAP driver for Windows. Both audits targeted OpenVPN 2.4.

Quarkslab discovered one vulnerability that has been rated high severity. The flaw, tracked as CVE-2017-7478, is a denial-of-service (DoS) issue that allows an unauthenticated attacker to crash OpenVPN clients and servers. Researchers pointed out that the weakness can be easily exploited.

Quarkslab also identified a medium severity DoS vulnerability (CVE-2017-7479) that can only be exploited by an authenticated attacker. The other security bugs found by the company have been classified as low severity or informational issues.

The audit conducted by Dr. Green’s Cryptography Engineering did not uncover any major flaws.

Experts did find a couple of medium severity vulnerabilities – one of them is related to the fact that sensitive authentication tokens are not wiped from memory in case of certain TLS errors, and the second issue involves potentially flawed TLS control channel encryption. Cryptography Engineering also reported discovering six low severity problems.

The more serious issues have already been addressed by OpenVPN developers, and the less severe problems will be patched in the next official release.

Advertisement. Scroll to continue reading.

“Given the numerous options and features provided by OpenVPN, vulnerabilities may crop up from certain feature combinations. This will be an ongoing challenge for OpenVPN developers to catch these problems early as the code base continues to evolve and expand,” Cryptography Engineering said in its report. “While the overall cryptographic design of OpenVPN is solid, some of the options available may undermine a user’s ability to deploy a secure VPN solution. As such, we recommend that the OpenVPN developers continue to document the risks of using certain advanced features to users.”

“OpenVPN is much safer after these audits, and the fixes applied to the OpenVPN mean that the world is safer when using this software,” OSTIF said in a blog post. “We have verified that the OpenVPN software is generally well-written with strong adherence to security practices.”

OSTIF pointed out that its next target is OpenSSL 1.1.1, which is the first version to implement TLS 1.3 and which contains numerous code changes.

Related Reading: OpenVPN Vulnerable to ShellShock Attacks

Related Reading: OpenVPN Versions Released Since 2005 Affected by Critical Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.