How to prevent SWEET32 Birthday Attacks on OpenVPN via Blowfish cipher vulnerability (CVE-2016-6329)
In our previous post, we saw how to secure your OpenSSL servers from SWEET32 Birthday Attack. But OpenSSL isn’t the only server that’s affected by this bug.
Use of block cipher encryption algorithm makes OpenVPN servers also vulnerable to this attack. The OpenVPN vulnerability is tracked with the CVE number CVE-2016-6329.
Today we’ll see how OpenVPN is affected by SWEET32 bug and how to protect your servers.
What is OpenVPN SWEET32 vulnerability?
In OpenVPN tunneling, the encryption algorithms used are: DES, 3DES, AES and Blowfish. The default algorithm in OpenVPN is the bf128 (Blowfish with 128-bit key).
The use of short 64-bit block cipher such as Blowfish has made OpenVPN vulnerable to the SWEET32 birthday attack, the new exploit released on 24th August 2016.
OpenVPN connections secured with long-lived Blowfish algorithm can be decrypted using this SWEET32 birthday attack.
In this, attackers can recover secure HTTP cookies by sniffing around 705 GB of traffic. Attackers can thus gain access to your confidential information such as credit card details.
Are you vulnerable to SWEET32 OpenVPN bug?
If you are running OpenVPN versions lower than 2.3.12, where the default algorithm is Blowfish, then you are vulnerable to this bug.
To know the list of cipher algorithms supported by your OpenVPN server, use the command:
How to fix SWEET32 vulnerability in OpenVPN
OpenVPN team released their latest version OpenVPN 2.3.12, that will discourage the use of 64-bit ciphers. So the best solution is to download and install this latest secure version.
You can download the latest version from the OpenVPN site and extract it and install it in your server using these steps:
tar xfz openvpn-[version].tar.gz cd .. ./configure make make install
The new version supports the more secure AES ciphers, and hence its not vulnerable to SWEET32 exploit.
Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.