Future Hosting, a virtual server hosting and dedicated server provider based in Southfield, Michigan, has warned users of the popular OpenVPN virtual private network application to update immediately.
A number of vulnerabilities in OpenVPN, including a critical remote code execution vulnerability, may allow an attacker to compromise the privacy of data communicated over OpenVPN nodes (as reported in ZDNet on June 22nd).
The vulnerabilities, which were discovered by security researcher Guido Vranken and disclosed to OpenVPN’s developers, have been patched. According to Future Hosting, users of OpenVPN should update as soon as possible to mitigate the risk to their virtual private network infrastructure. It should be noted that the vulnerabilities are unrelated to audits carried out earlier in 2017, which discovered several minor vulnerabilities. Users of OpenVPN who updated following the audits should update again.
As a provider of virtual servers and dedicated server hosting, Future Hosting’s infrastructure is used to host many instances of OpenVPN. The open source project is used by businesses of all sizes to protect communications between their internal networks and the open Internet and between servers. Future Hosting wants to encourage as many OpenVPN users as possible to update to reduce the risk to its clients and all virtual private network users.
“OpenVPN is a critical part of the security apparatus of many companies. Users of OpenVPN expect their VPN nodes to be secure – that’s why they use OpenVPN in the first place,” said Maulesh Patel, VP of Operations, Future Hosting, “We’re publicizing this set of vulnerabilities because we want to make sure the largest number of OpenVPN users are protected as quickly as possible.”
The most critical of the vulnerabilities – CVE–2017–7521 – could be used by a sophisticated attacker to exhaust and corrupt a server’s memory, says Future Hosting’s VP of Operations, potentially allowing the attacker to run arbitrary code on the server. The other vulnerabilities would be less serious, but still pose an unacceptable security risk, including a vulnerability that could allow an attacker to crash an OpenVPN server.