New OpenVPN attack demo'd at DEFCON
-
FYI. Seems dependent on compression being enabled.
https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/
-
Yep, that's been going around for the last week or so. We have disabled compression by default for new OpenVPN instances on 2.4.4. The good news is that it depends not only on compression being enabled, but also on the attacker being able to get the user to load plaintext they can predict (e.g. HTTP sites), and even then it can only get access to a little bit of data there like session info, and even then only on certain browsers (it doesn't work against Chrome). So it's a clever attack using classic TLS issues with compression, but the sky isn't exactly falling for most people.
- https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html
- https://redmine.pfsense.org/issues/8788
- https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Nafeez/