This blog post summarizes a whitebox security review conducted by 7ASecurity (an OTF Red Team Lab partner) against the implementation of the minivpn OpenVPN implementation.
What is minivpn OpenVPN
minivpn is a minimalistic OpenVPN implementation in Go (an open source programming language) that eliminates privilege escalation attacks by design, as it runs with the permissions of the regular user.
The Audit
A Whitebox security review of the minivpn implementation was solicited by the Open Observatory of Network Interference (OONI) and executed by 7ASecurity in August 2022. This review is the first penetration test for this project, and consequently, identification of new security weaknesses was expected to be easier, as more vulnerabilities are identified and resolved after each testing cycle.
During this iteration, the aim was to review the security posture of the open-source minivpn tool, and to ensure minivpn users can be provided with the best possible security. The project entailed an audit of the minivpn OpenVPN Go client, with the core goal to verify if the client delivers on its promise to protect users data as well as network traffic, and suggest how the solution might be improved in the future in order to become more difficult to attack by malicious adversaries.
The review found that the minivpn OpenVPN Go client defended itself well against a broad range of attack vectors. However, being the first penetration test for the client, a number of significant security flaws were identified. The flaws were shared with the team behind minivpn, and following a responsible disclosure period, the results of the test were released publicly (see document link below).
Overall, the minivpn client provided a number of positive impressions during this assignment, including:
– The application is immune to privilege escalation attacks by design.
– The source code of the application is well written and adheres to a number of security best practices.
– The project implements internal test cases and mock VPN configurations for testing purposes.
– The application is intuitive and easy to use.
The security of the minivpn OpenVPN Go client will improve with a focus on the following areas:
– Input Validation
– Error Handling
– Binary Handling
– TLS Configuration Hardening
– Script Hardening
– General Hardening
– OpenVPN Feature Support
The full audit report can be found below.