
Successful private key extraction from OpenVPN using Heartbleed - kfreds
Hi HN,<p>We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug. The material we found was sufficient for us to recreate the private key and impersonate the server.<p>As you may know, OpenVPN has an SSL&#x2F;TLS mode where certificates are used for authentication. OpenVPN multiplexes the SSL&#x2F;TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. Since OpenVPN uses the OpenSSL library but merely passes through the TLS traffic to OpenSSL, this means that OpenVPN is exploitable using Heartbleed, in theory. However, until now there hasn&#x27;t been any solid evidence that private key material can be extracted from OpenVPN just like it has from some web servers.<p>This was the server setup we used:
Ubuntu 12.04 (VM using KVM)
OpenVPN 2.2.1
OpenSSL 1.0.1-4ubuntu5.11<p>Our exploit is decently weaponized, and while the code is an abomination that even Eris would be embarrassed to present, we believe it may severely impact those who have not already upgraded. Therefore, we will not be publishing the code. Nevertheless, you should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN. Just to be clear, we don&#x27;t intend to use this exploit ourselves. We merely developed it to examine the practical impact on OpenVPN as part of our incident investigation.<p>To our knowledge there is currently one published proof of concept script that checks an OpenVPN server&#x27;s vulnerability to Heartbleed.<p>Private questions that are not requests for the exploit can be emailed to stromberg@insto.org or admin@mullvad.net (PGP: 0x2C62E8AE).<p>Best regards,<p>Fredrik Strömberg, Co-founder of Mullvad<p>(edit: Formatting, because I&#x27;m a HN noob.)
(edit[?]: Giving up on the formatting.)
======
claudius
Apologies for the possibly stupid question: Did your OpenVPN server use TLS
Authentication (tls-auth option) and, if so, did the attacker have access to
that key?

What I have read so far seems to imply that OpenVPN is vulnerable, but only if
not used with tls-auth or if the attacker has access to the tls-auth key (as
is the case for e.g. clients).

~~~
kfreds
No, our target server did not use tls-auth because it would only have added
complexity and no valuable information. The threat model for tls-auth is
pretty straightforward.

You're correct in your second paragraph. I'll quote James Yonan and myself
from last Monday:

Using the tls-auth option should protect against this vulnerability (assuming
that your tls-auth key is not known to the attacker).

tls-auth is irrelevant if the attacker knows the key, which is the case for
consumer VPN services like ours.

~~~
claudius
Thank you very much for your reply! Of course it is irrelevant if the attacker
knows the key, but that naturally depends on the threat model under
consideration and your OP wasn’t too clear on that, hence my question :)

Thanks again!

~~~
kfreds
No problem, I only added the quotes for more clarity. I'm glad I could help :)

------
avree
Interesting. If true, this seems to contradict the statement released here:
[http://docs.openvpn.net/important-security-notice-
regarding-...](http://docs.openvpn.net/important-security-notice-regarding-
heartbleed-vulnerability/)

Have you contacted OpenVPN directly?

~~~
Wilya
Note that this statement is about OpenVPN Access Server, the commercial
distribution of OpenVPN.

There is a bit more info in the "community" wiki [0]. It seems the key point
is that TLS-auth would already mitigate the vulnerability. TLS-auth is on by
default in OpenVPN Access Server, but for the vanilla openvpn, you have to
configure it yourself.

And, as noted in the community statement, the TLS-auth is a single global pre-
shared key. It could leak a bit more easily than personal certificates.

[0]
[https://community.openvpn.net/openvpn/wiki/heartbleed](https://community.openvpn.net/openvpn/wiki/heartbleed)

~~~
mrsaint
Well, TLS-auth should be used _on top_ of a PKI. It is a HMAC key that an
attacker would need to know before he'd even be able to initiate a TLS
handshake.

Thus, if you have used it in your OpenVPN setup, and if you know that the few
users who have access to your VPN wouldn't have heartbleed-attacked you, then
yes, you could assume that your private key has been safe from heartbleed
despite an exploitable OpenSSL library.

------
jareds
As someone who runs a personal OpenVPN server am I correct in assuming that I
am not vulnerable to this as long as I have updated my OpenSSL library’s
through the standard Linux package managers to a recent version that has fixed
the Heartbleed bug?

~~~
jamesbritt
Are you sure that OpenVPN is not using it's own bundled openssl lib? I believe
that was the case with OpenVPN_AS.

~~~
kyllo
That was definitely the case with openvpn-as. I updated my openssl package but
my VPS was still testing vulnerable until I updated openvpn-as.

------
higherpurpose
I recently learned that SigmaVPN uses NaCl on Android, if anyone needs it.

[https://play.google.com/store/apps/details?id=com.frozenrive...](https://play.google.com/store/apps/details?id=com.frozenriver.sigmavpn)

It seems based on QuickTun, which is where the NaCl implementation comes from:

[http://wiki.ucis.nl/QuickTun](http://wiki.ucis.nl/QuickTun)

~~~
zx2c4
This looks super cool. Submitted it in hopes of hearing more discussion on it.
[https://news.ycombinator.com/item?id=7599091](https://news.ycombinator.com/item?id=7599091)
What's its security track record? Have you ever used this? The idea looks
nice.

------
droopybuns
Have you considered submitting the attack to hacker one?

[https://hackerone.com/internet](https://hackerone.com/internet)

~~~
kfreds
No, I didn't think of any rewards. Thanks for the link though.

~~~
droopybuns
If you do, and if you get an award, plz, for the love of security, donate the
winnings to the openssl project instead of something mindless like the freedom
of the press foundation.

~~~
tinco
Please don't donate any winnings, buy yourselves something nice. There's
plenty big rich companies out there that should be running OpenSSL.

------
tatref
I have read that the client version of OpenVPN, which is also vulnerable to
heartbleed, should be upgraded, as well as the server.

I wonder what could be a possible exploitation on the client side? Obviously,
one can not send heartbeat packets to grab the secret key!

