A significant security vulnerability, identified as CVE-2024-13454, has been discovered in the OpenVPN Easy-RSA tool, affecting versions 3.0.5 to 3.2.0 that use OpenSSL 3. The vulnerability arises from the incorrect encryption of password-protected Certificate Authority (CA) private keys during the creation process using the easyrsa build-ca command. Instead of utilizing the secure aes-256-cbc cipher, the tool defaults to the outdated and weaker des-ede3-cbc cipher. This flaw makes the CA private key susceptible to brute-force attacks, potentially compromising the entire Public Key Infrastructure (PKI) built around it.
The implications of this vulnerability are severe, as the CA private key plays a critical role in ensuring secure communications within a network.
If an attacker successfully compromises the CA private key, they could undermine the integrity of encrypted communications, jeopardizing sensitive data across the system. To mitigate the risk, organizations using affected versions of Easy-RSA are urged to take immediate action by re-encrypting the private CA key with the aes-256-cbc cipher. This can be done using the command easyrsa set-pass ca, which is available for all Easy-RSA versions.
Additionally, users are strongly encouraged to upgrade to Easy-RSA version 3.2.0 or newer, where the cipher issue has been resolved, and the correct encryption method is applied for both build-ca and set-pass commands. This new version also includes enhancements and additional security features that address the vulnerability and offer a more secure framework for key generation and management. Testing has shown that OpenSSL 1.x versions (such as 1.1.0l and 1.1.1w) do not exhibit the same flaw, emphasizing the importance of upgrading both Easy-RSA and OpenSSL versions to mitigate potential security risks.
The discovery of CVE-2024-13454 highlights the importance of maintaining up-to-date security tools and practices. Administrators and security teams are advised to follow the recommended remediation steps, which include re-encrypting the CA private key and upgrading to the latest Easy-RSA version, to safeguard their PKI infrastructure from potential exploits. Proactive vulnerability management is crucial in maintaining a secure environment for digital communications, particularly in organizations relying on secure VPN setups.
