Tests prove Heartbleed bug exposes OpenVPN private keys

IT security

Tests prove Heartbleed bug exposes OpenVPN private keys

Warwick Ashford

The Heartbleed bug exposes the private encryption keys of virtual private network (VPN) servers running the OpenVPN application with a vulnerable version of OpenSSL, a Swedish VPN service warns.

Last week, developers who maintain the open-source OpenVPN software warned of the vulnerability, which has now been confirmed by VPN service provider Mulvad.


“We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,” said Mulvad co-founder Fredrik Strömberg in a Hacker News blog post.

The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11.

 “The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”.

Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability.

According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should:

1. Update the OpenSSL library

2. Revoke the old private keys

3. Generate new private keys

4. Create certificates for the new private keys

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy