Networking

12:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Heartbleed Flaw Exploited In VPN Attack

Security researchers report attack on an enterprise that used the OpenSSL vulnerability to steal VPN session tokens and evade two-factor authentication.

Now there's live proof the Heartbleed bug can be exploited, not just to steal private SSL keys stored on a server, but also to retrieve VPN session tokens.

Researchers at Mandiant -- now part of threat intelligence firm FireEye -- on Friday revealed that they spotted a successful VPN-targeting attack that began April 8. That was just one day after OpenSSL issued a public security advisory about a "TLS heartbeat read overrun" in its open-source SSL and TLS implementation.

The flaw, later dubbed "Heartbleed," was quickly tapped by a VPN-targeting attacker. "The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," said Mandiant technical director Christopher Glyer and senior consultant Chris DiGiamo in a blog post. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

Read the full story on Dark Reading.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/24/2014 | 2:22:41 PM
Re: fears realized
One thing I haven't heard enough about is now many certs are being revoked and regenerated as a result. I guess it must be happening, but if certs aren't being renewed the danger of previous extraction of private keys could risk future communications.

 

I'm also in two minds about the advice to change passwords. Most people I know use the same password across multiple sites. What's the point in changing them all? If any one of those sites isn't updated and now immune to the attack, your password could still be exposed, thus opening up all the others. Obviously the "right" approach is to use a unique password for each site, but back in realityland...
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Apprentice
4/23/2014 | 4:24:19 PM
fears realized
A Heartbleed attack against VPNs was one of the initial worries, and this is likely the first of many such exploits. Everyone was so focused on public websites at first--now the focus should be on the intranet servers and corporate VPNs affected by the flaw.
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed