IMPORTANT: OpenSSL TLS Vulnerability

Tuesday, April 8, 2014


A critical vulnerability in OpenSSL cryptographic software library has been discovered and it's affecting millions of websites, as well as services using TLS such as VPNs. The vulnerability allows attackers to read the memory of systems affected by the OpenSSL vulnerability, eventually leading to compromise of secret encryption keys, which can be used either to decrypt transferred data or to impersonate legitimate servers in MiTM (man-in-the-middle) attacks. For more information on this critical vulnerability, check the "Vulnerability References" and "In the news" links posted lower on this page.

As a security company, we take security very seriously and we have taken immediate action against this vulnerability:

- OpenSSL libraries used on our website's server have been patched last night, within minutes of vulnerability disclosure 
- Website's SSL certificate has been renewed and the old one revoked (see SSL Labs Report)
- All services using OpenSSL libraries on our VPN servers, authentication servers, DNS resolvers have been patched/updated
- We have issued new encryption keys for all our VPN servers and the old keys will be revoked
IMPORTANT NOTE: make sure your PC/device/router date & time settings are correct/not before Apr. 8, otherwise you won't be able to connect as openvpn will report our keys to not be valid yet. 
- The VPN Client Software has been updated
- Website backend passwords of our staff have been changed

To stay up to date with our progress, please check this page again later: we won't send a new email but rather post UPDATE notes at the bottom of this page.

The fix on server-side requires a restart of all services using the OpenSSL libraries, such as openvpn daemons; not all services were restarted yet, but we should finish within the next 16-20 hours. During this time-frame you may experience temporary disconnects and we apologize in advance, but you should understand that keeping your communication secure and fixing such a critical bug in a timely manner is more important than a few seconds of downtime per server or a forced VPN reconnect. 

Our private CA keys are not affected as they are stored off-line, therefore we don't have to change them. 

Client Software

The vulnerability is mainly targeting services running on servers, but under a few circumstances the attack vectors may target vulnerable client-software such as openvpn.  
Our VPN Client Software for Windows has been updated to include the fixed OpenSSL libraries:

You can get the full client archive here, or you can get only its "data\" folder files here
- In case you get the full archive, just unzip it to a folder or replace the folder where you already have the old version
- If you get the "data\" folder content, unzip it & replace the files in the "data\" subfolder within the folder where you have the client software

- If you are using OpenVPN GUI, download the latest version from openvpn.net or from our site
- If you use Linux, run a mass-update (Debian/Ubuntu/Linux Mint: sudo apt-get update; sudo apt-get upgrade). 
On Debian/Ubuntu run "dpkg -l |grep openssl" to check the openssl version. For example it should be (at least) 1.0.1e-2+deb7u6 on Debian 7 Wheezy, 1.0.1-4ubuntu5.12 on Ubuntu 12.04, 1.0.1c-3ubuntu2.7 on Ubuntu 12.10 and 1.0.1e-3ubuntu1.2 on ubuntu 13.10. Reboot is recommended. 
Should you require instructions to update other Linux distros, let us know. 

The Mac OS version is likely not vulnerable but we will check it carefully and provide an update in the coming days, if needed. 

Vulnerability References

The Heartbleed Bug
OpenSSL Security Advisory [07 Apr 2014]
NCSC-FI Advisory on OpenSSL

In the news

Heartbleed: Serious OpenSSL zero day vulnerability revealed (ZDNet)
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping (Ars Technica)
Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet (Tech Crunch)
Heartbleed (Schneier)

Tools to test websites for the TLS Heart Beat Vulnerability

http://filippo.io/Heartbleed/
http://rehmann.co/projects/heartbeat/

As this TLS Heart Beat bug has been in the wild for two years, we recommend to change your passwords on all web-services you access using HTTPS (our Client Area, webmail, internet banking, etc.). 


UPDATES:


(04/09/14) - All our servers have been successfully updated to use the patched openssl libraries and new encryption certificates. We finished the updating/restart process at 14:00GMT. 
Not all servers were affected by the bug - some of them running an older and secure version of OpenSSL libraries (0.9.8). However, private keys have been changed even on unaffected servers and OpenSSL libraries updated. 

20:10 GMT - We discovered a bug introduced in the latest version of our IPsec daemon, affecting some iOS and Mac OS X client connection - not being able to establish the connection. We already fixed it and created an update that's being rolled-out on affected servers; ETA for full roll-out and testing: 12 hours. 

(04/10/14) - All IPsec daemons have been fixed and there should be no problems with iOS or Mac OS X clients. The roll-out was finished at 07:30 GMT


« Back