There are two interesting moments in NordVPN situation nobody talks ab

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
There are two interesting moments in NordVPN situation nobody talks about.
**Moment #1**: besides TLS private key for *.nordvpn.com from commercial central authority which was used for squid and apparently for IPsec, there was also ca.key from OpenVPN
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXkEwyH/x0RS+8
YGx+JNU9+rfkc0mUR7iR/KIns4qPLuDouAnugz3ACtk4rb9vMKiqcfj6Kdf5CzzZ
XWyL8svTDEEePve+pCmCQaXl1EqPx505DgINmE3JpgLEz2hkz8yYlPcsyl2jiBB5
YqhxFJAwb92wJdhDKv5YbrUuv+ncSt1n/Q2IT1vmsCjSjqD60TmigEzLhEw/J/GX
95l/UHPy7fZ5bHqHsaHV/jrh0XGxOncTCePErV1srhhJ4ml0vJpC6muowI3ceK4V
8khMI/0VZCByswbkIA7IXhvW7iyRwono5mP7T2N1bR3UJ08d8xCX/E3GBO63Jx7v
xacUNvP/AgMBAAECggEAL5MpPebRUNf0MR8W0sBOT9+FtmW7V358vbuEDj8R1YgD
G1mC16Eff8LlLh0qot+aWgPNb2jMwao5Q7/atQhg87NAq+w5wVl5z8WtV4wC6Lil
enIdAeMbR+XbtpQP9i/md8ZoxvnisLTW7fNYOZzQNeB6jOXNVQWoHNxSIH86neN/
8HUyPu07WaAaASUzLYoIZ1K86LIigSIYgjIYFsviHOMf7F+R0gTs23rQKIq9BBgg
yFhjMN0bjh2p7GqGTH86s+lV+74cy+8HctMDJofySmeTGynoPmqH8zAgAAbJegrn
MOkvW9sx2OLubiOuKP/kXe77NKcQ0bzpmLAdQ2qIAQKBgQD+3n0zVXyzmsPl3nM3
VOLLUyHmuu6ThXMjZJCCDPgUss2/KhGKVuECLn+R1Hum0Bo3uGmjHlZg95TJ9MbN
itpC+BCBXZOzHb+PLaNStSDm4ZFoNCuoZcTQmrNQogrE/UM7IfAY93GE3pGIhMOE
j33PBaMGFZlHgW8M+hommkId1wKBgQDYhSkmTXObtwwygbbOIXMjzuNrzy+TkfqU
69oqi8L5tvigYXzz2A7xxWBvygb37TY/6Xj3/Y5FUhqUYla/MAQyI7M6D+q4lbwt
CLCNfeUyMjuK4tRV2ca9pwLO4qTvfp1Nt/JS2uawW5ZbPPIEGhpmbKAyq0hw9yzT
RsW7mYkGGQKBgQCySceBYnrSVSBWrA8jFMF2BFiBxCBimAbcKlwgbZwZNp9Q68fL
Y00Rrp9UzzQUlBzS/7D+B5nbSTYPNKjhXhGiqU86f9BziwrWyNEoaUZz3DVQlLY5
nb9ZQe7QKBqqhJRESFBh1q7ViLB7tIvlLk+Ow12wQumvqK6bgFVMzboUjwKBgBdE
wDZYjnsGge4PmJiwaZJIkpIsct12C6rjac+2s15otnFt6KK/7mM3JfT9jiAowvK9
YX2tJxP2DdsyckYbn+fPhFxSB5SMqutgCrE5/V6WnWWAmPcc70nEX/3hx33haoBG
q2kSE0aSoSbu9sdQEtQ9Cj5HwAI73fpambdeeaZJAoGBAOlP/D5cCuRB+BtrsxiA
EEaNY7u0xocP1FsALuP5rw3uw0wQOso/WPqvXXf6m/NeRQ7/eYPQwst4qDkukmMp
GV8oWrcINXsjfrquo0w+/dRodidQv67QH/z4XyXQ/Q8A1y716HjyYaje1JIh83Od
pcNR9NnJEdrkhPGJoLgCOl/C
-----END PRIVATE KEY-----
"ca.key" file name is usually used for private key of root OpenVPN central authority. To use it, you also need to have certificate file ca.crt, but it's missing in the leak. Certificate usually could be easily obtained from OpenVPN connection establishment (it's a public file, OpenVPN sends it to the client upon connection), but current NordVPN configuration does not have certificates corresponding to the leaked ca.key.
Current NordVPN PKI is as follows:
1. C = PA, O = NordVPN, CN = NordVPN Root CA
2. C = PA, O = NordVPN, CN = NordVPN CA3
3. CN = xxxyyy.nordvpn.com
Both NordVPN Root CA and NordVPN CA3 does not correspond to ca.key (the modulus are different). CA3 has:
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Dec 31 23:59:59 2019 GMT
So the current CA (CA3) has been created before compromised server installation (31 Jan 2018). Not Before and Not After dates are most probably were set with within the year accuracy, but there's a [post on the internet](https://www.computerbase.de/forum/threads/nordvpn-jedoch-mit-eigenem-dns-ueber-openvpn.1845970/#post-22114791) which indicates that it was already in use as of 2 Jan 2019, which tells us it was in use before NordVPN knew that fi30.nordvpn.com is compromised (13 Apr 2019) and is in use to this day.
2019-01-02 12:07:15 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2019-01-02 12:07:15 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
2019-01-02 12:07:15 VERIFY KU OK
I don't know what to think. This could be an old file of outdated CA which is not used anymore (but why does it still copied upon provisioning, if this exact compromised server has been installed on 31 Jan 2018?). Needless to say, ca.key is not required for OpenVPN server operation and should not be copied under any condition. Could this be an older CA2?
If one find public certificate for this file, which is signed by NordVPN Root CA and still active, it would be possible to perform Man-in-the-Middle attack for to any NordVPN server.
**Moment #2, the interesting one**: The owner of fi30.nordvpn.com compromised server certificate + key can also perform Man-in-the-Middle attack to any NordVPN server, because OpenVPN does not check certificate's Common Name by default and NordVPN OpenVPN configuration files do not use this option. The server is shut down already, so you can't just grab the certificate anymore, but I bet there are people who have it. It's transmitted in plain text (just as in usual TLS), so you can extract it from tcpdump/wireshark dump of that time.
NordVPN uses neither Certificate Revocation Lists (CRL) nor Online Certificate Status Protocol (OCSP). Server certificates are signed for 1 year.
**Summary**: if we assume that f30.nordvpn.com used CA3, it seems that the attacker with public certificate and private key for this server can perform Man-in-the-Middle attack to any NordVPN OpenVPN server until 31 Dec 2019 (that's the Not After date of CA3), and NordVPN can't easily fix this, except to add the server certificate into Certificate Revocation List to the **clients** configuration file. They surely can do that in their client software automatically, but those who use standard OpenVPN client would need to re-download OpenVPN configuration files manually.
https://files.catbox.moe/vtxeiz.zip ← archive with all the files for curious.