[OpenVPN-NL] Security advisory - upstream audits, remote DoS

Steffan Karger steffan.karger at fox-it.com
Thu May 11 16:08:09 CEST 2017 

Summary:

Upstream OpenVPN has been audited.  The audits identified two remote DoS
vulnerabilities.  OpenVPN-NL is _not_ vulnerable to the
pre-authentication DoS attack (CVE-2017-7478), but _is_ vulnerable to
the very inefficient authenticated remote DoS attack (CVE-2017-7479).

Due to the extremely limited nature of CVE-2017-7479, we will not
release an OpenVPN-NL 2.3.x update, but instead continue our focus on
making a 2.4.x release that contains these fixes.


Background:

Upstream OpenVPN 2.4 was simultaneously reviewed by Quarkslab (funded by
OSTIF) and Cryptography Engineering LCC (funded by Private Internet
Access) [0].

These audits both concluded that OpenVPN is a strong product, offering
good security to it's users.  Also, both audit praised the efforts of
OpenVPN-NL in hardening both OpenVPN and OpenVPN-NL.

The Quarkslab audit identified two remote Denial-of-Service
vulnerabilities:

1) A pre-authentication Denial of Service (CVE-2017-7478)

This affects OpenVPN 2.3.12 and newer.  The most recent OpenVPN-NL is
based on OpenVPN 2.3.9, and therefore _not_ vulnerable.

Please refer to the upstream security announcement [0] for more
information.

2) An authenticated Denial of Service (CVE-2017-7479)

A fully authenticated client can cause the server's the packet-id
counter to roll over, which would lead the server process to hit an
ASSERT() and stop running.  To make the server hit the ASSERT(), the
client must first cause the server to send it 2^32 packets (at least
196GB).  This makes it a _very_ inefficient DoS attack.

Due to the extremely limited nature of CVE-2017-7479, we will not
release an OpenVPN-NL 2.3.x update, but instead continue our focus on
making a 2.4.x release that contains these fixes.

Please refer to the upstream security announcement [0] for more
information.


[0]
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fox-it.com/pipermail/list-openvpn-nl/attachments/20170511/b17140ff/attachment.sig>

More information about the list-openvpn-nl mailing list