OpenVPN Patches Remotely Exploitable Vulnerabilities
OpenVPN this week patched several vulnerabilities impacting various branches, including flaws that could be exploited remotely.
Four of the bugs were found by researcher Guido Vranken through fuzzing, after recent audits found a single severe bug in OpenVPN. While analyzing OpenVPN 2.4.2, the researcher found and reported four security issues that were addressed in the OpenVPN 2.4.3 and OpenVPN 2.3.17 releases this week.
The most important of the four issues is a Remotely-triggerable ASSERT() on malformed IPv6 packet bug that can be exploited to remotely shutdown an OpenVPN server or client. Tracked as CVE-2017-7508, the bug can be triggered if IPv6 and –mssfix are enabled and only if the IPv6 networks used inside the VPN are known.
Tracked as CVE-2017-7521, a second vulnerability involves remote-triggerable memory leaks. The issue is that the code doesn’t free all allocated memory when using the –x509-alt-username option on OpenSSL builds with an extension (argument prefixed with “ext:”).
“Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack,” OpenVPN explains in an advisory.
The third vulnerability Guido Vranken discovered was a potential double-free in –x509-alt-username, tracked as…