eduVPN and its various components are regularly audited by external companies. The major refactoring which led to the third major version of the eduVPN server, and the development of a shared library for the eduVPN clients, required new audits. At the end of 2022 we asked third parties to review both the eduVPN server software and the new shared library that we will use for all client apps in the future. Both audits were funded by the GÉANT project.
ROS (Radically Open Security) performed the audit on the shared library for the clients. It is used by the Linux 4.0 client [see https://github.com/eduvpn/python-eduvpn-client/releases/tag/4.0.0]. In the future, the Windows, macOS/iOS and Android apps will also use this library. ROS didn’t find any critical issue in the code but offered some suggestions to improve the code.
Cure53 performed penetration tests and source code audits of the eduVPN server software which consisted of a number of components: vpn-user-portal, vpn-server-node, php-secookie, php-oauth2–server, vpn-daemon, vpn-ca. Overall, the outcome of the audit was positive and Cure53 concluded that “the code of the eduVPN project is quite robust and does not leave that much room for typical exploitation scenarios.”. One issue of level “high” was identified in the code which could introduce XSS. A number of “low” issues were also found. All were addressed.
Interestingly, Cure53 was able to identify one issue which was considered to be “critical”. This issue was found in the php-saml-sp project. This is software for authenticating users using the SAML protocol that we worked a couple of years ago because we found out that configuring SAML was very often a blocker [see https://www.eduvpn.org/php-saml-sp-a-simple-method-for-saml-integration-audited-and-released/]. The vulnerability was introduced after a previous audit of this library! An update has been released to address the vulnerability that allowed extracting contents of any file readable by the web server, and requested a CVE for this vulnerability (CVE-2023-26267).
The audits of ROS and Cure53 were very useful, and we quickly fixed the high and critical vulnerabilities. Part of the process was to communicate quickly to operators of eduVPN servers that they should update. We have channels for registered servers (https://www.eduvpn.org/join/), but not for people operating Let’s Connect! servers, or for those who chose not to register their service with us.
“Furthermore, it is important to note that there is currently no evidence of the misuse of the identified vulnerabilities in the field.” This previous sentence you commonly read when vendors have detected a CVE with high/critical impact. However, the question is, did they have adequate logging in place to detect potential abuse? Let us be transparent about it, we didn’t have enough default logging enabled to be fully sure, but based on the complexity of the attack we don’t expect misuse. Of course, we are willing to share all technical details with our community, please email us for more details on our support email address.
We are very pleased with the work done by Cure53 and ROS. Their expertise and attention to detail helped identify critical vulnerabilities that could have gone unnoticed, potentially leading to serious consequences.
It is crucial to emphasize that software updates and operating system (OS) updates are essential to maintaining the security of eduVPN. We often release updates to patch security vulnerabilities and improve system performance. Similarly, OS updates address security vulnerabilities and provide new security features to help protect against potential threats. Therefore, it is vital to prioritize regular software and OS updates to ensure the continued security and integrity of software systems.
Add Comment