-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A new version of OpenVPN-NL (2.4.6-nl2) is available on the OpenVPN-NL website [1]. This version is based on OpenVPN 2.4.6 [2], and mbed TLS 2.9.0 [3].
This release resolves several security issues:
1) CVE-2018-9336: fix potential double-free() in the Windows Interactive Service
A local attacker could send malformed input data on the service pipe towards the OpenVPN interactive service, which can result in a double free() in the error handling code. This usually only leads to a process crash (DoS by an unprivileged local account) but it could lead to memory corruption and potentially privilege escalation if happening while multiple other threads are active at the same time.
This only affects users that run the interactive service on Windows.
2) Out-of-bounds read in the tap-windows driver
This allows a local attacker that is able to send invalid ICMPv6 packets from the local machine to the local tap-windows adapter to crash the local machine (BSOD). The overread data is not leaked to the attacker or peer.
3) Several bugfixes in mbed TLS
mbed TLS 2.8 fixed a number of denial-of-service bugs [4]. mbed TLS 2.9 fixed a number of parsing bugs, which have no or very limited impact on OpenVPN-NL, because most of the affected components are disabled, and the strict set of allowed ciphers prevents selecting an insecure cipher. Furthermore, the usage of tls-auth or tls-crypt prevents an attacker without the tls-auth/tls-crypt key from executing an attack.
This release uses a new (Extended Validation) Windows Code signing certificate for the tap-windows driver files. The sha1 fingerprint of this new certificate is: 27:FA:AB:56:C8:F3:52:FD:E8:2F:4E:E7:B0:81:52:4B:DD:94:28:91
The preexisting certificate is still used for non-kernel mode signing, such as the installers and openvpn(serv).exe binaries.
References - ---------- [1] https://openvpn.fox-it.com/ [2] https://github.com/OpenVPN/openvpn/blob/v2.4.6/Changes.rst [3] https://tls.mbed.org/tech-updates/releases/mbedtls-2.9.0-2.7.3-and-2.1.1 2-released [4] https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.1 1-released
list-openvpn-nl@lists.fox-it.com
-
Steffan Karger