OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

OpenVPN is Not Impacted by the Enterprise VPN Vulnerability

VU#192371 Does Not Apply to OpenVPN

Earlier this week, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a vulnerability warning for leading enterprise VPNs — four providers in particular —  and said hundreds more could be affected by a security vulnerability that could leave users exposed to malicious hacks.

According to the CERT VU#192371 update, the providers in question appear to be storing cookies incorrectly on users’ computers. The cookies are designed to eliminate the need for users to enter their password for every new login screen — but this could prove dangerous if a bad actor gains access. According to CERT, “If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”

Although OpenVPN was not listed as at risk for the enterprise VPN security weakness, we took it upon ourselves to run a series of quality assurance tests to ensure that we are not impacted by this enterprise VPN vulnerability, and we checked our log files for unencrypted tokens in memory or log files. As we continue testing, we are happy to report that we are not at risk for this vulnerability; OpenVPN is just as strong and secure as ever.

Why Is OpenVPN Immune?

Our software logs are filed on the server and client side, and sensitive login details such as passwords and session tokens are automatically redacted. Whenever we have to store any data, we store it in places that only administrators or root users on the system can access — and only if they are actively attempting to bypass the data protection measures. Additionally, our software "forgets" about user credentials as soon as possible, and replaces the credentials with a token that is valid only for a specific period of time, and only from the IP address of that specific user.

This is just one of the many methods we use to make sure our users are fully protected.

Configuration Reminder

OpenVPN users should keep in mind that the way the VPN is configured is often the cause of many vulnerabilities — not just the software itself. If you don’t configure your VPN properly, you could be leaving your entire server exposed if any of your devices are attacked.

For example, Access Server offers the option for an auto-login, which means profiles are authenticated via certificate, rather than a username/password sequence. This should be reserved for headless servers without users, which are much more secure. If you, as an administrator, allow just any user to auto-login, then you’re putting your entire system at risk.

The default settings for Access Server are very secure. In some situations a system administrator may want to lift a particular security setting — but make sure you understand the consequences of that. If you have any doubts, please contact us for advice.” - Johan, OpenVPN Access Server Project Manager

We want our users to know that our quality assurance teams are constantly working to make sure that our software functions as expected — we offer the highest security levels to protect our users, including several measures such as pre-shared keys, peer authentication and many other types of protection. And because the OpenVPN code is a critical open source project, it is heavily scrutinized, audited, and quickly fixed if errors are ever found.

Your security and privacy are our top priority, and we will always work to ensure that our software has zero vulnerabilities and that you are protected with the best possible enterprise VPN security.

Share