A vulnerability has been discovered in OpenSSL that allows attackers to intercept encrypted connections between vulnerable clients and servers and force them to use weak "export-grade" cryptography, which can then be decrypted or altered.
Opengear's OpenVPN server and client have be found to be vulnerable. The upstream OpenVPN project rate the impact as "fairly small", due to an attacker requiring a man-in-the-middle position, time and money per OpenVPN instance (restart) to attack a connection necessitating a targeted attack, and because OpenVPN's perfect forward secrecy makes it impossible to decrypt sessions prior to a successful attack.
The vulnerability can be mitigated by adding the line tls-cipher DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA to each tunnel configuration file and restarting OpenVPN.
To do this automatically via the config-post-openvpn post-configurator script, download the attached set-tls-cipher.tar.gz file and copy it to the Opengear /tmp directory using WinScp, scp or similar. Login as or su to root on the CLI and run:
tar zxvf /tmp/set-tls-cipher.tar.gz
config -r openvpn
We will release firmware to explicitly disable OpenSSL export ciphers as part of our regular release cycle.
Note that HTTPS on Opengear products is not affected as per previous notification: https://opengear.zendesk.com/entries/79535869-CVE-2015-0204-aka-FREAK-HTTPS-on-Opengear-products-is-not-affected
Article is closed for comments.