OSTIF and QuarksLab have undertaken an audit of the OpenVPN 2.4.0 protocol, evaluating various different version and identifying a number of issues which have been fixed in the latest release of the software.
The audit took place between 15 February 2017 and 7 April 2017 and involved three Quarkslab engineers and a total of fifty man days’ work. It looked at OpenVPN 2.4.0 for Windows and Linux, OpenVPN GUI and the TAP driver for Windows.
It did not look at OpenVPN for Android or OpenVPN Connect, but nonetheless, it is the most comprehensive examination of OpenVPN for some time and did identify a number of security concerns which have now been patched.
OpenVPN Security Concerns Addressed
These included one critical vulnerability, which was a pre-authentication denial of service which would allow an attacker to stop an OpenVPN server functioning. Because this software flaw is considered easy to trigger, the severity of the flaw is classed as high level.
There was also one vulnerability judged to be a medium-level issue because it was a flaw which was much harder to exploit and five more low-level vulnerabilities.
It should be noted that all software has flaws of this nature and identifying them within the OpenVPN protocol is par for the course and not something VPN users should be overly concerned about.
The most important thing with software vulnerabilities is to patch them, which is what the latest version of OpenVPN does. OpenVPN 2.4.2 fixes all of the major vulnerabilities identified in the OSTIF and QuarksLab audit.
OpenVPN now much safer
The conclusions reached at the end of the audit will be extremely encouraging for all VPN users, who opt for the OpenVPN protocol.
In their conclusion, OSTIF and QuarksLab report that “OpenVPN is much safer after these audits, and the fixes applied to the OpenVPN mean that the world is safer when using this software.”
What is more, the overall conclusion about OpenVPN from the engineers who carried out the audit is also very encouraging. They concluded that “We have verified that the OpenVPN software is generally well-written with strong adherence to security practices.”
They also commented that “Best practices of development make the discovery of memory corruption vulnerability unlikely. If vulnerabilities were to be found, logical or cryptographic bugs would be more likely.”
They did note that the commitment to making future versions of OpenVPN compatible with previous ones did not have a positive impact on OpenVPNs security and also resulted in the source code being “monolithic and difficult to apprehend.”
At the same time as the OSTIF and QuarksLab audit, another security review of OpenVPN was undertaken by Dr. Matthew Green at Cryptography Engineering. This one was funded by Private Internet Access and focused on the cryptography aspects of OpenVPN; something which the other audit did not assess.
It also made a number of recommendations for improvements. Most of these have been applied in OpenVPN 2.4.2, with the rest being prepared for later versions.
Audits vitally important
It is vital that periodic audits of software such as OpenVPN is carried out to ensure that vulnerabilities are not going unnoticed and that the protocol being used by so many VPN providers is strong and secure.
It is something which benefits not just those funding the project, but the whole community of VPN providers and users.
To that end, VPNCompare.co.uk was delighted to have contributed to the funding of this project, which was provided by OSTIF. Anyone who wants to make their own contributions to further such projects can do so here.
