This blog post summarizes a whitebox security review conducted by 7ASecurity (an OTF Red Team Lab partner) against the implementation of the Amnezia VPN clients.
What is AmneziaVPN
AmneziaVPN is a multi-protocol open-source VPN client that allows users to configure their own servers. The primary difference between AmneziaVPN and other VPN solutions is that the AmneziaVPN project is not a VPN service itself, but a supplier of free and open-source VPN software designed for the general public.
The Audit
In May 2022, Open Technology Fund’s Red Team Lab was approached to conduct a whitebox security review against the implementation of the AmneziaVPN mobile and desktop clients. Executed by 7ASecurity, the audit team spent approximately one month conducting AmneziaVPN’s first-ever penetration test. Consequently, identification of new security weaknesses was expected to be easier, as more vulnerabilities are identified and resolved after each testing cycle.
The aim of this test was to review the security posture of multiple AmneziaVPN clients, and to ensure AmneziaVPN users can be provided with the best possible security. The methodology implemented was whitebox. 7ASecurity was supplied with access to documentation, desktop and mobile application builds, source code, as well as a test VPN server, which was deployed following the AmneziaVPN documentation as a reference implementation. The project audited the main clients: Windows, Linux, Mac OS, and Android (the iOS application only became available towards the end of the security test). The core goal was to verify if AmneziaVPN clients deliver on their promise t o protect user data as well as network traffic, and suggest how the solution might be improved in the future in order to become more difficult to attack by malicious adversaries.
The security audit found 11 identified vulnerabilities and five hardening recommendations with lower exploitation potential. Each finding in the attached report includes a technical description, proof-of-concept, and/or steps to reproduce the results if required, plus mitigation advice for follow-up actions by the development team.
Overall, the AmneziaVPN client applications defended themselves well against a broad range of attack vectors. However, as this was the first penetration test for this solution, a number of significant security flaws were identified. Further engagements will confirm that regular penetration testing is a valuable process that helps decrease the number of vulnerabilities found over time and increases the effort to identify security issues. This combination raises the bar for prospective attackers and places the platform in a much better position.
The full audit report can be found below.