Researcher Finds Critical OpenVPN Bug Using Fuzzing

“Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog,” writes long-time Slashdot reader randomErr — one of which was a critical remote execution bug. Though patches have been now released, there’s a lesson to be learned about the importance of fuzzing — bug testing with large amounts of random data — Guido Vranken writes:

Most of these issues were found through fuzzing. I hate admitting it, but…the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal’s mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that “OpenVPN’s audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future.” Guido adds on his blog, “This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC…”


Share on Google+

Read more of this story at Slashdot.

Clip to Evernote

Leave a Reply

Your email address will not be published. Required fields are marked *