“We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed bug,” said Mulvad co-founder Fredrik Strömberg in a Hacker News blog post.
The test server was running Ubuntu 12.04 that was virtualised using the KVM application, OpenVPN 2.2.1, and OpenSSL 1.0.1-4ubuntu5.11.
Read more on Heartbleed
- Heartbleed repairs threaten to cripple the internet
- Mumsnet becomes first known UK victim of Heartbleed bug
- Canada Revenue Agency reports Heartbleed data theft
- Heartbleed denial reveals loophole for NSA spying
- Cisco and Juniper warn of products hit by Heartbleed bug
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
- OpenSSL security flaw could affect millions of websites, warn researchers
“The material we found was sufficient for us to recreate the private key and impersonate the server,” wrote Strömberg, warning that users of OpenVPN should assume others have created exploits for “nefarious purposes”.
Mulvad’s confirmation means that organisations using an OpenVPN server or servers that rely on OpenSSL should take immediate steps to remove the vulnerability.
According to the community wiki, OpenVPN is affected if it is linked against OpenSSL versions 1.0.1 to 1.0.1f and anyone running those versions of OpenSSL should:
1. Update the OpenSSL library
2. Revoke the old private keys
3. Generate new private keys
4. Create certificates for the new private keys