FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenVPN -- two remote denial-of-service vulnerabilities

Affected packages
openvpn < 2.3.15
2.4.0 <= openvpn < 2.4.2
openvpn23 < 2.3.15
2.4.0 <= openvpn-mbedtls < 2.4.2
openvpn-polarssl < 2.3.15
openvpn23-polarssl < 2.3.15

Details

VuXML ID 04cc7bd2-3686-11e7-aa64-080027ef73ec
Discovery 2017-05-10
Entry 2017-05-11

Samuli Seppänen reports:

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities. Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).

References

CVE Name CVE-2017-7478
CVE Name CVE-2017-7479
URL https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
URL https://openvpn.net/index.php/open-source/downloads.html
URL https://ostif.org/?p=870&preview=true
URL https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-2-fixes-critical-issues-discovered-openvpn-audit-reports/