Summary:
Upstream OpenVPN has been audited. The audits identified two remote DoS vulnerabilities. OpenVPN-NL is _not_ vulnerable to the pre-authentication DoS attack (CVE-2017-7478), but _is_ vulnerable to the very inefficient authenticated remote DoS attack (CVE-2017-7479).
Due to the extremely limited nature of CVE-2017-7479, we will not release an OpenVPN-NL 2.3.x update, but instead continue our focus on making a 2.4.x release that contains these fixes.
Background:
Upstream OpenVPN 2.4 was simultaneously reviewed by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access) [0].
These audits both concluded that OpenVPN is a strong product, offering good security to it's users. Also, both audit praised the efforts of OpenVPN-NL in hardening both OpenVPN and OpenVPN-NL.
The Quarkslab audit identified two remote Denial-of-Service vulnerabilities:
1) A pre-authentication Denial of Service (CVE-2017-7478)
This affects OpenVPN 2.3.12 and newer. The most recent OpenVPN-NL is based on OpenVPN 2.3.9, and therefore _not_ vulnerable.
Please refer to the upstream security announcement [0] for more information.
2) An authenticated Denial of Service (CVE-2017-7479)
A fully authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196GB). This makes it a _very_ inefficient DoS attack.
Due to the extremely limited nature of CVE-2017-7479, we will not release an OpenVPN-NL 2.3.x update, but instead continue our focus on making a 2.4.x release that contains these fixes.
Please refer to the upstream security announcement [0] for more information.
[0] https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerA...
list-openvpn-nl@lists.fox-it.com