[arch-security] [ASA-201706-27] openvpn: multiple issues
Arch Linux Security Advisory ASA-201706-27 ========================================== Severity: Critical Date : 2017-06-22 CVE-ID : CVE-2017-7508 CVE-2017-7512 CVE-2017-7520 CVE-2017-7521 Package : openvpn Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-318 Summary ======= The package openvpn before version 2.4.3-1 is vulnerable to multiple issues including information disclosure, arbitrary code execution and denial of service. Resolution ========== Upgrade to 2.4.3-1. # pacman -Syu "openvpn>=2.4.3-1" The problems have been fixed upstream in version 2.4.3. Workaround ========== None. Description =========== - CVE-2017-7508 (denial of service) A remote denial of service has been found in OpenVPN < 2.4.3, allowing a remote client to crash a server by sending a malformed IPv6 packet. The issue requires IPv6 and the --mssfix option to be enabled, and knowledge of the IPv6 networks used inside the VPN. - CVE-2017-7512 (denial of service) A remote denial of service has been found in OpenVPN < 2.4.3. A remote client can exploit a memory leak in the server's certificate parsing code to make it leak a few bytes of memory for each connection attempt, causing it to run out of memory. - CVE-2017-7520 (information disclosure) A pre-authentication remote crash/information disclosure vulnerability has been discovered in OpenVPN < 2.4.3. If the client uses a HTTP proxy with NTLM authentication (i.e. "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2") to connect to the OpenVPN server, an attacker in position of man-in-the-middle between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. - CVE-2017-7521 (arbitrary code execution) A use-after-free has been found in OpenVPN < 2.4.3. The issue is caused by extract_x509_extension() not checking the return value of ASN1_STRING_to_UTF8(), and using then freeing a memory allocation that has already been freed if it failed. The issue requires the use of the --x509-alt-username option with an x509 extension, and is very unlikely to be triggered unless the remote peer can make the local process run out of memory. Impact ====== An attacker in position of man-in-the-middle can access sensitive information from a client using a HTTP proxy with NTLM authentication to connect to the server. A remote attacker can crash a server and possibly execute arbitrary code on the affected host under specific conditions. References ========== https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bon... https://github.com/OpenVPN/openvpn/commit/c3f47077a7 https://github.com/OpenVPN/openvpn/commit/2341f71619 https://github.com/OpenVPN/openvpn/commit/7718c8984f https://github.com/OpenVPN/openvpn/commit/cb4e35ece4 https://github.com/OpenVPN/openvpn/commit/2d032c7fcd https://security.archlinux.org/CVE-2017-7508 https://security.archlinux.org/CVE-2017-7512 https://security.archlinux.org/CVE-2017-7520 https://security.archlinux.org/CVE-2017-7521
participants (1)
-
Remi Gacogne