VuXML ID | Description |
efb965be-a2c0-11eb-8956-1951a8617e30 | openvpn -- deferred authentication can be bypassed in specific circumstances
Gert Döring reports:
OpenVPN 2.5.1 and earlier versions allows a remote attackers to
bypass authentication and access control channel data on servers
configured with deferred authentication, which can be used to
potentially trigger further information leaks.
Discovery 2021-03-02 Entry 2021-04-21 openvpn
< 2.5.2
openvpn-mbedtls
< 2.5.2
https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-252
CVE-2020-15078
|
3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8 | OpenVPN -- out-of-bounds write in legacy key-method 1
Steffan Karger reports:
The bounds check in read_key() was performed after using the value,
instead of before. If 'key-method 1' is used, this allowed an
attacker to send a malformed packet to trigger a stack buffer
overflow. [...]
Note that 'key-method 1' has been replaced by 'key method 2' as the
default in OpenVPN 2.0 (released on 2005-04-17), and explicitly
deprecated in 2.4 and marked for removal in 2.5. This should limit
the amount of users impacted by this issue.
Discovery 2017-09-21 Entry 2017-09-27 openvpn-polarssl
< 2.3.18
openvpn-mbedtls
ge 2.4.0 lt 2.4.4
openvpn
ge 2.4.0 lt 2.4.4
< 2.3.18
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15492.html
CVE-2017-12166
|
45a72180-a640-11ec-a08b-85298243e224 | openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins
David Sommerseth reports:
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.
Discovery 2022-03-10 Entry 2022-03-17 openvpn
< 2.5.6
openvpn-mbedtls
< 2.5.6
CVE-2022-0547
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256
|
9f65d382-56a4-11e7-83e3-080027ef73ec | OpenVPN -- several vulnerabilities
Samuli Seppänen reports:
In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.
This is a list of fixed important vulnerabilities:
- Remotely-triggerable ASSERT() on malformed IPv6 packet
- Pre-authentication remote crash/information disclosure for clients
- Potential double-free in --x509-alt-username
- Remote-triggerable memory leaks
- Post-authentication remote DoS when using the --x509-track option
- Null-pointer dereference in establish_http_proxy_passthru()
Discovery 2017-05-19 Entry 2017-06-21 openvpn
< 2.3.17
ge 2.4.0 lt 2.4.3
openvpn-mbedtls
< 2.4.3
openvpn-polarssl
< 2.3.17
CVE-2017-7520
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
CVE-2017-7508
CVE-2017-7512
CVE-2017-7521
CVE-2017-7522
|
8604121c-7fc2-11ea-bcac-7781e90b0c8f | openvpn -- illegal client float can break VPN session for other users
Lev Stipakov and Gert Doering report:
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from
another address and with same peer-id, this would cause client to float
to that new address.
The net effect of this behaviour is that the VPN session for the
"victim client" is broken. Since the "attacker client" does not have
suitable keys, it can not inject or steal VPN traffic from the other
session. The time window is small and it can not be used to attack
a specific client's session, unless some other way is found to make it
disconnect and reconnect first.
Discovery 2020-04-13 Entry 2020-04-16 openvpn
< 2.4.8_3
openvpn-mbedtls
< 2.4.8_3
openvpn-devel
< 202016
https://github.com/OpenVPN/openvpn/commit/f7b318f811bb43c0d3aa7f337ec6242ed2c33881
https://sourceforge.net/p/openvpn/openvpn/ci/f7b318f811bb43c0d3aa7f337ec6242ed2c33881/
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
https://community.openvpn.net/openvpn/ticket/1272
https://patchwork.openvpn.net/patch/1077/
CVE-2020-11810
|
04cc7bd2-3686-11e7-aa64-080027ef73ec | OpenVPN -- two remote denial-of-service vulnerabilities
Samuli Seppänen reports:
OpenVPN v2.4.0 was audited for security vulnerabilities independently by
Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by
Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.
An authenticated client can do the 'three way handshake'
(P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet
is the first that is allowed to carry payload. If that payload is
too big, the OpenVPN server process will stop running due to an
ASSERT() exception. That is also the reason why servers using
tls-auth/tls-crypt are protected against this attack - the P_CONTROL
packet is only accepted if it contains the session ID we specified,
with a valid HMAC (challenge-response). (CVE-2017-7478)
An authenticated client can cause the server's the packet-id
counter to roll over, which would lead the server process to hit an
ASSERT() and stop running. To make the server hit the ASSERT(), the
client must first cause the server to send it 2^32 packets (at least
196 GB).
Discovery 2017-05-10 Entry 2017-05-11 openvpn
< 2.3.15
ge 2.4.0 lt 2.4.2
openvpn23
< 2.3.15
openvpn-mbedtls
ge 2.4.0 lt 2.4.2
openvpn-polarssl
< 2.3.15
openvpn23-polarssl
< 2.3.15
https://openvpn.net/index.php/open-source/downloads.html
CVE-2017-7478
CVE-2017-7479
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
https://ostif.org/?p=870&preview=true
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-2-fixes-critical-issues-discovered-openvpn-audit-reports/
|