New OpenVPN attack demo'd at DEFCON

gfeiner

FYI. Seems dependent on compression being enabled.

https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/

jimp

Yep, that's been going around for the last week or so. We have disabled compression by default for new OpenVPN instances on 2.4.4. The good news is that it depends not only on compression being enabled, but also on the attacker being able to get the user to load plaintext they can predict (e.g. HTTP sites), and even then it can only get access to a little bit of data there like session info, and even then only on certain browsers (it doesn't work against Chrome). So it's a clever attack using classic TLS issues with compression, but the sky isn't exactly falling for most people.

• https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html
• https://redmine.pfsense.org/issues/8788
• https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/Nafeez/