[arch-security] [ASA-201706-27] openvpn: multiple issues

Remi Gacogne rgacogne at archlinux.org
Thu Jun 22 12:47:43 UTC 2017


Arch Linux Security Advisory ASA-201706-27
==========================================

Severity: Critical
Date    : 2017-06-22
CVE-ID  : CVE-2017-7508 CVE-2017-7512 CVE-2017-7520 CVE-2017-7521
Package : openvpn
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-318

Summary
=======

The package openvpn before version 2.4.3-1 is vulnerable to multiple
issues including information disclosure, arbitrary code execution and
denial of service.

Resolution
==========

Upgrade to 2.4.3-1.

# pacman -Syu "openvpn>=2.4.3-1"

The problems have been fixed upstream in version 2.4.3.

Workaround
==========

None.

Description
===========

- CVE-2017-7508 (denial of service)

A remote denial of service has been found in OpenVPN < 2.4.3, allowing
a remote client to crash a server by sending a malformed IPv6 packet.
The issue requires IPv6 and the --mssfix option to be enabled, and
knowledge of the IPv6 networks used inside the VPN.

- CVE-2017-7512 (denial of service)

A remote denial of service has been found in OpenVPN < 2.4.3. A remote
client can exploit a memory leak in the server's certificate parsing
code to make it leak a few bytes of memory for each connection attempt,
causing it to run out of memory.

- CVE-2017-7520 (information disclosure)

A pre-authentication remote crash/information disclosure vulnerability
has been discovered in OpenVPN < 2.4.3. If the client uses a HTTP proxy
with NTLM authentication (i.e. "--http-proxy <server> <port>
[<authfile>|'auto'|'auto-nct'] ntlm2") to connect to the OpenVPN
server, an attacker in position of man-in-the-middle between the client
and the proxy can cause the client to crash or disclose at most 96
bytes of stack memory. The disclosed stack memory is likely to contain
the proxy password.

- CVE-2017-7521 (arbitrary code execution)

A use-after-free has been found in OpenVPN < 2.4.3. The issue is caused
by extract_x509_extension() not checking the return value of
ASN1_STRING_to_UTF8(), and using then freeing a memory allocation that
has already been freed if it failed. The issue requires the use of the
--x509-alt-username option with an x509 extension, and is very unlikely
to be triggered unless the remote peer can make the local process run
out of memory.

Impact
======

An attacker in position of man-in-the-middle can access sensitive
information from a client using a HTTP proxy with NTLM authentication
to connect to the server. A remote attacker can crash a server and
possibly execute arbitrary code on the affected host under specific
conditions.

References
==========

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
https://github.com/OpenVPN/openvpn/commit/c3f47077a7
https://github.com/OpenVPN/openvpn/commit/2341f71619
https://github.com/OpenVPN/openvpn/commit/7718c8984f
https://github.com/OpenVPN/openvpn/commit/cb4e35ece4
https://github.com/OpenVPN/openvpn/commit/2d032c7fcd
https://security.archlinux.org/CVE-2017-7508
https://security.archlinux.org/CVE-2017-7512
https://security.archlinux.org/CVE-2017-7520
https://security.archlinux.org/CVE-2017-7521

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170622/88f56aaa/attachment.asc>


More information about the arch-security mailing list