Call Us! [visitorlocation]
Call Us! [visitorlocation]

Need Help?

Our experts will login to your server within 30 minutes to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

How to prevent SWEET32 Birthday Attacks on OpenVPN via Blowfish cipher vulnerability (CVE-2016-6329)

How to prevent SWEET32 Birthday Attacks on OpenVPN via Blowfish cipher vulnerability (CVE-2016-6329)

In our previous post, we saw how to secure your OpenSSL servers from SWEET32 Birthday Attack. But OpenSSL isn’t the only server that’s affected by this bug.

Use of block cipher encryption algorithm makes OpenVPN servers also vulnerable to this attack. The OpenVPN vulnerability is tracked with the CVE number CVE-2016-6329

Read: SWEET32 Birthday attack : How to fix TLS vulnerability (CVE-2016-2183)

Today we’ll see how OpenVPN is affected by SWEET32 bug and how to protect your servers.

What is OpenVPN SWEET32 vulnerability?

In OpenVPN tunneling, the encryption algorithms used are: DES, 3DES, AES and Blowfish. The default algorithm in OpenVPN is the bf128 (Blowfish with 128-bit key).

The use of short 64-bit block cipher such as Blowfish has made OpenVPN vulnerable to the SWEET32 birthday attack, the new exploit released on 24th August 2016.

OpenVPN connections secured with long-lived Blowfish algorithm can be decrypted using this SWEET32 birthday attack.

In this, attackers can recover secure HTTP cookies by sniffing around 705 GB of traffic. Attackers can thus gain access to your confidential information such as credit card details.

SWEET32 Birthday attack on OpenVPN vulnerability

SWEET32 Birthday attack on OpenVPN vulnerability

Are you vulnerable to SWEET32 OpenVPN bug?

If you are running OpenVPN versions lower than 2.3.12, where the default algorithm is Blowfish, then you are vulnerable to this bug.

To know the list of cipher algorithms supported by your OpenVPN server, use the command:

openvpn --show-ciphers

How to fix SWEET32 vulnerability in OpenVPN

OpenVPN team released their latest version OpenVPN 2.3.12, that will discourage the use of 64-bit ciphers. So the best solution is to download and install this latest secure version.

You can download the latest version from the OpenVPN site and extract it and install it in your server using these steps:

tar xfz openvpn-[version].tar.gz
cd .. 
make install

The new version supports the more secure AES ciphers, and hence its not vulnerable to SWEET32 exploit.

Are your servers vulnerable?

We can help you patch your servers, do a full-site security testing and secure your services from attacks.


Emergency services provided at $49/hr

Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.
Server Management

Submit a Comment

Your email address will not be published. Required fields are marked *