The Heartbleed bug exposes the private encryption keys of virtual private network (VPN) servers running the OpenVPN application with a vulnerable version of OpenSSL, a Swedish VPN service warns.
Last week, developers who maintain the open-source OpenVPN software warned of the vulnerability, which has now been confirmed by VPN service provider Mulvad.
“We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,” said Mulvad co-founder Fredrik Strömberg in a Hacker News blog post.
The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11.
“The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”.
Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability.
According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should:
1. Update the OpenSSL library
2. Revoke the old private keys
3. Generate new private keys
4. Create certificates for the new private keys
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK