• 04/21/2014
    12:35 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Heartbleed Flaw Exploited In VPN Attack

Security researchers report attack on an enterprise that used the OpenSSL vulnerability to steal VPN session tokens and evade two-factor authentication.

Now there's live proof the Heartbleed bug can be exploited, not just to steal private SSL keys stored on a server, but also to retrieve VPN session tokens.

Researchers at Mandiant -- now part of threat intelligence firm FireEye -- on Friday revealed that they spotted a successful VPN-targeting attack that began April 8. That was just one day after OpenSSL issued a public security advisory about a "TLS heartbeat read overrun" in its open-source SSL and TLS implementation.

The flaw, later dubbed "Heartbleed," was quickly tapped by a VPN-targeting attacker. "The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users," said Mandiant technical director Christopher Glyer and senior consultant Chris DiGiamo in a blog post. "With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

Read the full story on Dark Reading.


fears realized

A Heartbleed attack against VPNs was one of the initial worries, and this is likely the first of many such exploits. Everyone was so focused on public websites at first--now the focus should be on the intranet servers and corporate VPNs affected by the flaw.

Re: fears realized

One thing I haven't heard enough about is now many certs are being revoked and regenerated as a result. I guess it must be happening, but if certs aren't being renewed the danger of previous extraction of private keys could risk future communications.


I'm also in two minds about the advice to change passwords. Most people I know use the same password across multiple sites. What's the point in changing them all? If any one of those sites isn't updated and now immune to the attack, your password could still be exposed, thus opening up all the others. Obviously the "right" approach is to use a unique password for each site, but back in realityland...