1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN Vulnerability

Discussion in 'Asuswrt-Merlin' started by SMS786, Aug 20, 2018.

  1. SMS786

    SMS786 Regular Contributor

    Joined:
    Nov 29, 2017
    Messages:
    115
    https://www.tomsguide.com/us/vpn-voracle-attack-defcon26,news-27784.html

    https://www.bleepingcomputer.com/ne...k-can-recover-http-data-from-vpn-connections/

    This attack was revealed at DEF CON last week. Apparently protecting against this vulnerability is as easy as disabling compression on our OVPN servers?

    @RMerlin, do you have any recommendations?
     
    Last edited: Aug 20, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,760
    Location:
    Canada
    Nothing more than what's already said in the article: avoid using LZO compression. Most of today's Internet data can't be compressed any further anyway (either it's encrypted, or it's jpeg/mp3/mp4/zip).

    It's another one of these "security exploits" over which I won't be losing any sleep, personally... Likelyhood of this being actively exploited in the wild against generic/random victims is next to nil.
     
    martinr and SMS786 like this.
  4. SMS786

    SMS786 Regular Contributor

    Joined:
    Nov 29, 2017
    Messages:
    115
    Got it, thanks much for the clarification!
     
  5. netware5

    netware5 Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    339
    Location:
    Bulgaria
    LZ4 compression is much better and faster. Does the above vulnerability affects the LZ4 also?
    And second question is: Does setting of tls-crypt option helps in such circumstances?
    And finally third question: What about TAP configurations when the OpenVPN encapsulates not IP packets but Ethernet frames?
     
    Last edited: Aug 21, 2018
  6. joe scian

    joe scian Regular Contributor

    Joined:
    Apr 22, 2018
    Messages:
    67
    since the VORACLE attack report refers to compression only and makes no distinction between LZO , adaptive or LZ4 then you can assume that LZ4 is included.
     
  7. Wadadli

    Wadadli Occasional Visitor

    Joined:
    Aug 16, 2017
    Messages:
    14
  8. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    549
    Looking at the requirements needed to complete that Attack..
    it is not easily to hack.

    1. They need to be on the same network as you;
    2. You need to be using an HTTP connection;
    3. You need to be using a browser vulnerable to VORACLE (anything but Chrome);
    4. You need to visit a website that the hacker controls;
    5. You need to be using OpenVPN with compression engaged.
    The only chance will only be if you using a unknown wifi hotspot and they used a http log-in page. Otherwise, the chance is very Low.

    But I think turning off the compression is a good way to totally prevent things from happening.
     
    SMS786 likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!