In a significant move towards bolstering user security, IVPN, a leading VPN provider, recently concluded an independent security audit of its new gateway infrastructure. The audit, conducted by the renowned cybersecurity firm Cure53, scrutinized the VPN gateway servers that IVPN had upgraded to a major new OS version. This upgrade included numerous configuration changes, making the audit a critical step before deploying the servers for customer use.
Over six days in February 2023, two senior members from Cure53 meticulously examined the VPN gateway server and the VPN server OS setup. Their white-box approach, which provided them access to IVPN’s public and private Github code repositories, ensured a thorough and comprehensive audit. However, it’s important to note that no access to production VPN servers or infrastructure was granted, maintaining the integrity of the audit process.
The audit report, available here, revealed three security vulnerabilities and five miscellaneous issues. These ranged from a world-readable config template revealing an API key to weak user-passwords on Linux that could be easily cracked. While these findings might raise eyebrows, it’s crucial to understand that the purpose of such audits is to identify and rectify potential vulnerabilities before they can be exploited.
The audit revealed several vulnerabilities and areas of improvement in IVPN’s infrastructure. These findings are critical in understanding the current state of IVPN’s security and the steps that need to be taken to enhance it.
- World-readable config template revealing an API key (Page 5): The audit found a world-readable config template that revealed an API key. This poses a significant security risk as it could potentially allow unauthorized access to sensitive data or systems.
- Invalid DNS response crashing dnsfilter (Page 6): The audit discovered that an invalid DNS response could crash the dnsfilter. This could potentially lead to a Denial of Service (DoS) attack, disrupting the service for users.
- Outdated Go dependencies with known vulnerabilities (Page 7-8): The audit found that some of the third-party dependencies linked to the tested Go applications were outdated and had known vulnerabilities. While these vulnerabilities did not directly impact the security of the tested applications, they could potentially pose a risk in the future, especially if new features are added.
- Files of deploy user being overwritten (Page 9): The audit found that files owned by the deploy user could be overwritten. This could potentially lead to a minor Denial of Service (DoS) attack.
- Secret keys present in Git repositories (Page 10): The audit discovered that the go-services repository contained secret API keys used to process Bitcoin payments. Storing secrets alongside the source code poses a significant security risk.
- Script not owned by root executed as root (Page 10): The audit found that a shell script not owned by the root user could be executed with elevated privileges. This could potentially allow an attacker to escalate privileges.
- Weak user-passwords on Linux that can be easily cracked (Page 11): The audit found that one password could be broken in a relatively quick manner. Weak passwords pose a significant security risk as they can be easily cracked, potentially allowing unauthorized access to systems.
- Su command that can be used by anyone (Page 12): The audit found that the su command could be used by anyone. This could potentially assist an attacker in escalating privileges.
These findings underscore the importance of regular security audits. They not only help identify vulnerabilities but also provide actionable insights to enhance the security of the system. It is crucial for VPN providers like IVPN to address these issues promptly to ensure the security and privacy of their users.
IVPN swiftly remediated all identified issues, demonstrating their commitment to user security. The company is now planning to upgrade their infrastructure with the new configuration, further enhancing the security of their services.
This audit underscores the importance of regular security audits for VPNs. VPNs are trusted by users worldwide to protect their privacy and secure their data. However, they are not impervious to vulnerabilities. Regular audits help identify potential weaknesses and ensure that VPN providers maintain the highest security standards. They also foster transparency, allowing users to make informed decisions about the services they choose to trust with their data.
IVPN’s commitment to annual security audits sets a commendable example for other VPN providers. As the company stated in their blog post, “extensive regular audits are necessary to ensure our customer’s security and continued trust.” This sentiment should be echoed across the industry, as maintaining user trust and security should always be paramount.
In conclusion, while the audit did uncover several issues, the swift remediation of these vulnerabilities highlights IVPN’s dedication to user security. The company’s commitment to transparency and regular audits should serve as a model for other VPN providers, emphasizing the importance of these practices in maintaining user trust and security in the digital age.