Checking connection...

[OLD] FREAKing OpenVPN

5 March 2015  NEWS

[THIS IS AN OLD BLOG FROM 2015-03-05]

The recently disclosed vulnerability in OpenSSL named FREAK can (with high certainty) be used to attack OpenVPN clients. This means that an adversary with the capability to intercept your traffic may be able to impersonate your VPN provider.

The technical details of FREAK are well explained by Matthew Green and the researchers who discovered the vulnerability, and their summaries are telling of its severity:

 "   A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a ‘man in the middle attacker’ to downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA. These attacks are real and exploitable against a shocking number of websites  including government websites. Patch soon and be careful.

    You are vulnerable if you use a web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites. If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected. For a list of insecure sites, see FREAKAttack.com

We have not been able to execute an attack on an OpenVPN client yet as the pentesting tools we have are geared towards servers, but given how OpenVPN works and uses OpenSSL it is very reasonable to assume that OpenVPN is just as vulnerable as vanilla TLS."


Am I vulnerable as an OpenVPN user?

You are vulnerable if you use an OpenVPN client which has not been patched against FREAK, and connect to an OpenVPN server that offers export ciphersuites or did offer export ciphersuites at any point in the past. For OSX users the most recent version of Tunnelblick is patched, whereas the OpenVPN client for Windows from openvpn.net is still vulnerable.

I am a provider. What do I need to do?

First of all, check whether your servers offer export ciphersuites. If you are not explicitly specifying what ciphersuites are acceptable using the tls-cipher directive assume that you are offering export ciphersuites. Note that there is no easy reliable way of determining what suites are supported on your platform. openvpn --show-tls does NOT show all OpenVPN-supported suites, nor is it guaranteed that a listed suite will work with OpenVPN.

If you are vulnerable you should do the following:

    Explicitly specify secure TLS ciphersuites on your servers
    Make patched OpenVPN clients available to your users
    Explicitly specify secure TLS ciphersuites in your client configurations

 
It is suggested that you specify the following suites on all clients and servers:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA

If you are offering a custom client for your users, make sure that you are using the latest libssl version. For your Windows users using the official OpenVPN client, encourage them to upgrade when a patched version is available.

Regarding your servers; While you will no longer be signing weak 512-bit keys, the keys you might once have given out remain valid for as long as the certificate is valid. It is therefore important that you not only patch clients, but also explicitly specify ciphersuites on the client-side from now on.

Is Mullvad vulnerable?

Not anymore. A new patched version of the client can be downloaded from our website, or new configuration files if you use plain OpenVPN. The configuration on our servers have been changed.

 
Update 2015-03-05 19:15
OpenVPN.net has released an updated Windows client that fixes the FREAK vulnerability. They have also released a statement with technical details.

They suggest using the tls-cipher string DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA.