2 different results obtained by 2 independent auditors for OpenVPN

Last updated: July 11, 2017

2 different results obtained by 2 independent auditors for OpenVPNPerhaps no surprise, that not later than in 2016 one of the most in-demand VPN providers PIA decided to audit the security level of one of the most run-after VPN clients namely OpenVPN.

Matthew Green, a well-known cryptographer, together with his team have finished the follow-up audit of OpenVPN this year. The inspection has been focused on detecting bugs in OpenVPN 2.4 coming from memory and such showings as buffer overflow, cryptography’s weaknesses and etc.

In addition, the same audit has been also performed by Quarkslab group who have examined the client’s operation on Windows and Linux.

According to the Qurkslab’s report, two vulnerabilities of a high and medium severity have been detected.

2 different results obtained by 2 independent auditors for OpenVPN

The first vulnerability allows an unauthorized attacker a denial of the client and the OpenVPN server, which makes it sensitive for DoS attacks. The issue has been stated to be very easy for exploitation. The second vulnerability allows for DoS attacks as well, but in this case an attacker should be authorized.

The auditors have also created a list of fixes for further output’s improvements:

2 different results obtained by 2 independent auditors for OpenVPN 

The Green’s team is known to have specified several minor bugs, which are described in the posted by PIA report.

 2 different results obtained by 2 independent auditors for OpenVPN


The bottom line

Though the audit cycles have taken from 3 months to 50 days correspondingly, it is also got about that OpenVPN developers have already eliminated the most of the bugs identified during the inspections and left a few least essential glitches until the next release.

In addition, the company has stated the audits have helped them make the product even better while the auditors have handed it to the developers for abiding by the main rules and standards.

As it’s said, a good marksman may miss, that is why that sort of inspections can assist in outputs improvement and further well-being. The carried-out work has demonstrated nothing is perfect and always needs double check.