RealTime IT News

VPNs Now at Risk from Heartbleed

While Web servers remain a key target for the Heartbleed vulnerability, they aren't the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed.Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.

"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions," Mandiant security researchers wrote in a blog post. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users."

Read the full story at eWEEK:
Heartbleed Takes Aim at VPNs, Other Risks Persist

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.