{"id":219845,"date":"2014-04-17T21:13:12","date_gmt":"2014-04-17T17:13:12","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=219845"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=219845","title":{"rendered":"OpenVPN \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d \u0447\u0435\u0440\u0435\u0437 Heartbleed<\/span>"},"content":{"rendered":"
\t\u0421\u0442\u0440\u0430\u0441\u0442\u0438 \u043f\u043e \u043d\u0435\u0434\u0430\u0432\u043d\u043e \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043d\u043e\u0439 Heatbleed \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 OpenSSL \u043d\u0435 \u0443\u0442\u0438\u0445\u0430\u044e\u0442. \u0412\u0447\u0435\u0440\u0430 \u043d\u0430 \u043f\u043e\u0440\u0442\u0430\u043b\u0435 news.ycombinator.com \u043f\u043e\u044f\u0432\u0438\u043b\u043e\u0441\u044c \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435<\/a> \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u0441\u043e\u0432\u0435\u0440\u0448\u0438\u0442\u044c \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0443\u0441\u043f\u0435\u0448\u043d\u044b\u0445 \u0430\u0442\u0430\u043a \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 OpenVPN<\/a> \u0438 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0434\u043b\u044f \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u043c \u0442\u0440\u0430\u0444\u0438\u043a\u0430.<\/p>\n

We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug. The material we found was sufficient for us to recreate the private key and impersonate the server.<\/p>\n

As you may know, OpenVPN has an SSL\/TLS mode where certificates are used for authentication. OpenVPN multiplexes the SSL\/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. <\/p><\/blockquote>\n

<\/p>\n

\u0420\u0430\u043d\u0435\u0435 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 OpenVPN \u0443\u0436\u0435 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u043b\u0438<\/a> \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u0447\u0442\u043e \u043f\u0440\u043e\u0434\u0443\u043a\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0443 OpenSSL \u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c \u0434\u043b\u044f \u044d\u0442\u043e\u0439 \u0430\u0442\u0430\u043a\u0438. \u041d\u043e \u0434\u043e \u0432\u0447\u0435\u0440\u0430\u0448\u043d\u0435\u0433\u043e \u0434\u043d\u044f \u043d\u0435 \u0431\u044b\u043b\u043e \u043d\u0438\u043a\u0430\u043a\u043e\u0439 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0430\u0442\u0430\u043a\u0430 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u0430. \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u0440\u043e\u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043b\u0438 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u043b\u0430\u0442\u044c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440 \u0447\u0435\u0440\u0435\u0437 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043d\u0435\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u0435, \u043f\u0440\u043e\u0445\u043e\u0434\u044f\u0449\u0438\u0435 \u043c\u0435\u0436\u0434\u0443 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0438\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c VPN \u0438 \u0441\u0430\u043c\u0438\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c.<\/p>\n

<\/a>\u0414\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0430\u0441\u044c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0430\u044f \u0442\u0435\u0441\u0442\u043e\u0432\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430: \u041e\u0421 Ubuntu 12.04 (\u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0447\u0435\u0440\u0435\u0437 KVM) OpenVPN 2.2.1 \u0438 OpenSSL 1.0.1-4ubuntu5.11.<\/p>\n

\u041e\u0434\u043d\u0430\u043a\u043e, \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0443\u0442\u043e\u0447\u043d\u0438\u0442\u044c, \u0447\u0442\u043e \u0442\u0430\u043a\u0430\u044f \u0430\u0442\u0430\u043a\u0430 \u043d\u0435 \u0431\u0443\u0434\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u043f\u0440\u043e\u0442\u0438\u0432 \u0441\u0435\u0430\u043d\u0441\u043e\u0432 \u0441 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u0439 \u043e\u043f\u0446\u0438\u0435\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 TLS, \u0442\u0430\u043a \u043a\u0430\u043a \u0432 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043e\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447 \u0434\u043b\u044f \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0442\u0440\u0430\u0444\u0438\u043a\u0430. <\/p>\n

The attack vector that is present on the Access Server with the vulnerable OpenSSL libraries is not present on the Connect Clients, so the risk is minimal. Only the server that your client connects to could possibly exploit this vulnerability, and even then it is unlikely because we use Perfect Forward Security and TLS-auth on top of the SSL connection. The security of the data channel itself is not particularly at risk, only the web services on the server themselves are. And even then, since we use a privilege separation model, the web services run in a completely different process than the OpenVPN daemons handling the data connections, and therefore the private keys for your OpenVPN connections are not likely to be at any risk. Even so, we don’t want to take chances and are going to release 2.0.7 soon, which will incorporate updated clients as well.<\/p><\/blockquote>\n

<\/div>\n<\/p><\/div>\n

\u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 http:\/\/habrahabr.ru\/company\/eset\/blog\/219845\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\t\u0421\u0442\u0440\u0430\u0441\u0442\u0438 \u043f\u043e \u043d\u0435\u0434\u0430\u0432\u043d\u043e \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043d\u043e\u0439 Heatbleed \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 OpenSSL \u043d\u0435 \u0443\u0442\u0438\u0445\u0430\u044e\u0442. \u0412\u0447\u0435\u0440\u0430 \u043d\u0430 \u043f\u043e\u0440\u0442\u0430\u043b\u0435 news.ycombinator.com \u043f\u043e\u044f\u0432\u0438\u043b\u043e\u0441\u044c \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435<\/a> \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u0441\u043e\u0432\u0435\u0440\u0448\u0438\u0442\u044c \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0443\u0441\u043f\u0435\u0448\u043d\u044b\u0445 \u0430\u0442\u0430\u043a \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 OpenVPN<\/a> \u0438 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0434\u043b\u044f \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u043c \u0442\u0440\u0430\u0444\u0438\u043a\u0430.<\/p>\n

We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug. The material we found was sufficient for us to recreate the private key and impersonate the server.<\/p>\n

As you may know, OpenVPN has an SSL\/TLS mode where certificates are used for authentication. OpenVPN multiplexes the SSL\/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. The default TLS library for OpenVPN is OpenSSL. <\/p><\/blockquote>\n

<\/p>\n

\u0420\u0430\u043d\u0435\u0435 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 OpenVPN \u0443\u0436\u0435 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u043b\u0438<\/a> \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u0447\u0442\u043e \u043f\u0440\u043e\u0434\u0443\u043a\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0443 OpenSSL \u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c \u0434\u043b\u044f \u044d\u0442\u043e\u0439 \u0430\u0442\u0430\u043a\u0438. \u041d\u043e \u0434\u043e \u0432\u0447\u0435\u0440\u0430\u0448\u043d\u0435\u0433\u043e \u0434\u043d\u044f \u043d\u0435 \u0431\u044b\u043b\u043e \u043d\u0438\u043a\u0430\u043a\u043e\u0439 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0430\u0442\u0430\u043a\u0430 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u0430. \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043f\u0440\u043e\u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043b\u0438 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u043b\u0430\u0442\u044c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440 \u0447\u0435\u0440\u0435\u0437 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043d\u0435\u0433\u043e \u0434\u0430\u043d\u043d\u044b\u0435, \u043f\u0440\u043e\u0445\u043e\u0434\u044f\u0449\u0438\u0435 \u043c\u0435\u0436\u0434\u0443 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0438\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c VPN \u0438 \u0441\u0430\u043c\u0438\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-219845","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/219845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=219845"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/219845\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=219845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=219845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=219845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}