We all remember last year’s OpenSSL Heartbleed bug. Just the thought of another major vulnerability in OpenSSL will surely have server administrators around the world cringing. Not to mention the dire consequences it can have on users. Earlier today we learned that OpenSSL does in fact have a new vulnerability that will need immediate patching by some VPNs. On the bright side VPN companies that didn’t update to the latest version of OpenSSL on June 11th are not susceptible to attack.
Is your VPN provider impacted by the new OpenSSL bug? It depends on whether or not they previously installed the June 11 OpenSSL update. If not then their custom VPN software and servers should be safe. However, if they applied the version 1.0.1 or 1.0.2 updates they could be vulnerable. My first suggestion is to check your VPN provider’s website. Most offer a blog or news section. I would expect updates to be posted soon. If they do not issue a message I would suggest you contact their support. They may be busy so expect some delay but they should be able to give you a status update. If they seem clueless about your question it might be time to find a new VPN service.
Here is the security advisory posted on July 9th taken directly from the OpenSSL site:
Alternative chains certificate forgery (CVE-2015-1793) ====================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
As you can see the OpenSSL development team marked the severity of the security risk as high. Once again any company that patched to OpenSSL 1.0.1 or 1.0.2 last month will need to immediately apply the security patch. Otherwise the vulnerability could be used to initiate man-in-the-middle attacks and other nefarious actions. Of course this doesn’t just apply to VPNs. Far from it. The bug applies to anyone running the June OpenSSL patch.
What can you expect from VPN providers in the days to come? Most were not likely running the latest version of OpenSSL in their custom client software. However, if you use the open-source OpenVPN software then you will want to download the latest version of the client. The same is true for Tunnelblick but as we write this post they haven’t released an updated version yet. I would expect one to come soon.
If you have any question as to whether or not your VPN provider has been impacted by the new OpenSSL bug I would recommend you contact their support. You could give them a day or so to post an update on their website but I’m sure they will understand any inquiries in the meantime. In this scenario it’s only the companies that updated to the latest OpenSSL patch last month that are impacted by the vulnerability. If your VPN company is security conscious enough to stay up on the latest updates then they are also likely to take immediate action on the security patch. With that said it never hurts to get clarification.
Follow us @VPNFan for the latest VPN and online privacy news.