QuarksLab and OSTIF have completed an audit of OpenVPN 2.4.0 and have identified several issues that have been fixed now in the latest release. The audit was held from 15 Feb to 7 Apr 2017. It was conducted by three engineers from QuarksLab and took about 50 man days’ worth of work. This has been the most comprehensive analysis of OpenVPN that identified several security concerns that were later patched.
The new and audited version of the protocol is OpenVPN 2.4.2 and it is a robust package that has passed through two security audits. The initial audit was authored by Dr. Matthew Green who examined the implementation of OpenVPN in detail and focused on the software quality and cryptography. As OpenVPN 2.4.2 was released, it uncovered many issues. These issues were found in the initial audit as well as the later and larger audit by QuarksLab.
The audits were sponsored by several parties and this resulted in a stronger version of OpenVPN that provides a better level of security. Some parties that contributed to the funding of the audit are Private Internet Access and ExpressVPN.
OpenVPN Audit Fixes
- Fix to lower the risk of a pre-authenticated DOS attack: It was found that a hacker could crash an OpenVPN software without any key.
- Fix for an authenticated DOS attack: A hacker could crash an OpenVPN software using AEAD cipher.
- Fix in the certificate handling process
- Fix usernames and passwords: Some keystrokes were not erased properly after authentication
- Fix null pointer dereference: Reserved for a future release
- Fixes in service handling
- Improvements in documentation
The issues that were discovered in the audit were mostly related to denial of service risks. For example, the audit found that a hacker could possibly crash a “secure” OpenVPN server by transferring almost 200GB of data in an individual VPN session. While such an attack isn’t really a major concern if a VPN service offers a kill switch, the discovery of the flaw would certainly strengthen the protocol. A kill switch would disconnect from the attacked server and reconnect to another one.
While the problems found in the audit are not huge, it’s always a good thing to patch things up – no matter how minor they are.
After the audits, OpenVPN has become even more secure. Now OpenVPN users can be sure that their sessions are safer than ever and their data is secure and protected from hackers. The audits also revealed that OpenVPN is generally safe and follows all necessary security practices.
Regular audits are very important
It is important to conduct periodic audits of software and protocols. This way, more vulnerabilities could be uncovered and patched. As OpenVPN has a large number of users and they depend on it for their safety, it was vital to check the credibility of this software. After the audits, OpenVPN is found to be generally strong and the bugs that were found were quickly patched in the new release.
Such audits and patches don’ just help the parties that fund the research but also the entire community of VPN services and their users.