Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Encryption Security Open Source

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) 47

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."
This discussion has been archived. No new comments can be posted.

Researcher Finds Critical OpenVPN Bug Using Fuzzing

Comments Filter:
  • Donate (Score:2, Offtopic)

    by war4peace ( 1628283 )

    We should donate TitCoin, CannabisCoin, PotCoin and the like. BTC is too mainstream.

  • by Dutch Gun ( 899105 ) on Saturday June 24, 2017 @02:18PM (#54683159)

    Fuzzing is essentially harnessing the power of our modern computational power in a brute force fashion, combined with the knowledge that many errors (especially crashes), by nature, can be leveraged into an exploit.

    In my own scripting language project, I have two fuzz tests I perform - I first fuzz a set of source scripts, and in another test, I fuzz a set of compiled bytecode, which exercises both the lexer/parser and runtime interpreter phases. I didn't even bother with a library either, just a small routine that randomly swaps and corrupts source from the original. It's really amazing how simple something like that will catch so many bugs.

    Honestly, I was implementing this just for the sake of robustness. No one but me is using the library yet, and it's just for local use in my game engine. But if you're connected to the internet in any way, there's really no excuse these days for not having a set of fuzzing tests you regularly run during your normal regression testing, and there are some great libraries available to help do this. You can even leverage Google's massive computational resources for testing for free (perhaps even get paid a small bounty) [googleblog.com] if your project is important enough, which OpenVPN certainly is. Hopefully the OpenVPM devs/maintainers take note of this and make this happen, and we'll all be more secure for it.

    BTW, if you ever want to read about an incredibly comprehensive test and regression suite, check out SQLite's description of their testing methodology: https://www.sqlite.org/testing... [sqlite.org]

    • What do you use to do your fuzzing? Did you write a custom set of tools?
      • by Dutch Gun ( 899105 ) on Saturday June 24, 2017 @03:52PM (#54683435)

        Nothing so grandiose. Just small class that randomly corrupts bytes in a memory buffer or string. Basically, it first chooses a random 0-100% odds of corruption, then iterates through each byte in the buffer, and if another random value is greater than the corruption odds, I replace the existing byte with a random one. Stupidly trivial, but still caught a number of crashes in rare corner cases I probably never would have found any other way.

        It took a tiny bit more work to set up the test scenario, which was to create an array of sample scripts (called the "corpus", as I understand it), then loop through those in a parallel array (in two phases, as I mentioned), starting with a known seed value so I can reproduce a crash as needed. Not counting the embedded corpus scripts, it was less than 150 lines of code.

      • by AHuxley ( 892839 )
        The tools exist or find a very, very smart person.
  • This guy missed his opportunity. He SHOULD have called it "AI Fuzzing" or "AI NN Fuzzing". The donations would have been rolling in. No one is interested in plain old software in 2017.
  • by darthsilun ( 3993753 ) on Saturday June 24, 2017 @02:37PM (#54683223)

    ...perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

    This is FOSS software. If someone is doing fuzzing testing, they should jump in and contribute it. I can't imagine that the OpenVPN project, or any other FOSS software project would say no to such a contribution.

    Those who stand around and offer lame suggestions like "$project should do this" are useless IMO.

    I'm currently paid to work on FOSS software. There's a lot of things we need to do. There aren't enough resources to do all of them. One thing we definitely don't need are "helpful" comments like this from the peanut gallery.

    • Yes, how dare a security researcher make a suggesting that might help a project find and mitigate future bugs after discovering some very serious issues using the aforementioned techniques. I mean, it's not like security is a core feature of a VPN anyhow. I'm sure they have much better things to do with their time than to harden their library using well-known methodologies that many others are using to enhance security and robustness their products.

      • Re: (Score:2, Flamebait)

        Security researchers are generally quite useless. When the report came out that OpenVPN was blessed as being secure by some high profile security researchers, I immediately went to the code base and within about 20 minutes just left as I found from a very brief review of the code an endless pile of likely attack vectors for the code. The only reason by the code was considered secure is because a security researcher ran nmap or Kali against it and it held up.

        I turned up far more holes in that code through vi
  • The stupidity of this claim is mind-blowing.

    Take any process A which catches a great many errors.

    Follow it up by any B process, which finds a different set of errors, possible a very narrow set.

    Sit back, eat popcorn, watch process B blow process A out of the water.

    "No matter how hard we crank on process A, the supplementary process B always catches things that the A process missed. I kind of hate to admit this, but I'm dumb enough at this point to convince myself that process B is inherently superior to pro

  • the three server flaws require the attacker be authenticated in order to exploit.

    That's the good news and the bad news. It's good because it means script kiddies aren't going to be drive-by-exploiting every old unpatched DD-WRT, and that generally many of us will be kinda safe.

    It's bad news because it's a huge deal both for VPN providers (kind of the obvious case) but also in the context of giving an attacker with RCE on a single client a huge vector to move laterally throughout a corporate network. I'm sure the original audit focused the majority of attention on the authentication code

    • by AHuxley ( 892839 )
      The threat model is gov/mil/security services.
      https://en.wikipedia.org/wiki/... [wikipedia.org] will find a VPN user.
      "Showing the usage of virtual private networks (VPNs) and machines that can potentially be hacked via TAO."
      Thats why most governments have few or no laws or comments about the about encrypted VPN use. Revealed: how US and UK spy agencies defeat internet privacy and security (September 2013)
      https://www.theguardian.com/wo... [theguardian.com]
      "... Edge hill's initial aim was to decode the encrypted traffic certified by

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...