New OpenSSL Flaw Exposed Today -- VikingVPN Impact

There is a new "severe" OpenSSL flaw that was exposed today. OpenSSL has patched the flaw and it is available on their website immediately.

The flaw exposes all clients, servers and software that use certificate validation to a bug that would allow an attacker to impersonate a trusted device. This is a total bypass of the security of the certificate system. If there are no additional layers of verification (that do not rely on the certificate system) then the system is vulnerable to attack.

This could allow an attacker to impersonate trusted servers and push malicious updates to software, or an attacker to skim security credentials, or other malicious activity that would allow deep compromise of the victim's machine.

The VikingVPN Security Impact:

This area will be updated with a graphic in the near future. We are rushing out this transparency post to show exactly what we are working on and the impact of the problem.

The short answer is, you are safe, but you should still update clients immediately.

VikingVPN VPN Servers - Unaffected - Not running vulnerable version of OpenSSL
VikingVPN Load Balancers - Unaffected - Not running vulnerable version of OpenSSL
VikingVPN Web Server - Unaffected - Not running OpenSSL
OpenVPN Windows Client - VULNERABLE - We recommend updating immediately to OpenVPN 2.3.7 I003.
Tunnelblick OSX Client - VULNERABLE - We recommend updating immediately to https://tunnelblick.net/release/Tunnelblick_3.5.3_build_4270.4371.dmg
OpenVPN for Linux and BSD Client - PARTIALLY VULNERABLE - We recommend making sure OpenSSL is up to date on your machine. Depending on the Linux or BSD distro, you may not be affected.

Our network is hardened against this kind of vulnerability and it would require the attacker also had our TLS_AUTH key to be able to successfully attack a client. We still recommending updating vulnerable software as future vulnerabilities could compound into a real world vulnerability for VikingVPN clients.


< last
next >