[OpenVPN-NL] OpenVPN-NL 2.3.9-nl3 released

[Steffan Karger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A new version of OpenVPN-NL (2.3.9-nl3) is available on the OpenVPN-NL
website [1]. This version is based on OpenVPN 2.3.9 [2], and PolarSSL
1.2.19 [3].

This new version of OpenVPN-NL includes two security fixes:

1) Post-authentication client-to-server denial-of-service
A fully authenticated client can send a specially crafted packet to
the OpenVPN server, causing the server to crash.  An attacker needs a
valid certificate, and - if it is in use - a valid tls-auth key to
mount this attack.  Only servers that have enabled IPv6 inside the
tunnel are affected (e.g. through the --server-ipv6,
- --ifconfig-ipv6-pool, --ifconfig-ipv6-push or --iroute-ipv6 options).

2) Pre-authentication remote crash/information disclosure for clients
If clients use a HTTP proxy with NTLM authentication (i.e.
"--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
a man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password.

If the proxy password is not reused, this is unlikely to compromise
the security of the OpenVPN tunnel itself.  Clients who do not use
the --http-proxy option with ntlm2 authentication are not affected.

This release removes the --http-proxy NTLM authentication methods to
remove the vulnerability.  NTLM authentication will be re-added once
we have regained confidence in the quality of the NTLM authentication
module code.

Furthermore, this release force-disables MD5 digests for certificates.
This is a hardening measure that prevents accidental misconfiguration
where the Certificate Authority may issue certificates with MD5 digests.

Users are advised to upgrade all OpenVPN-NL servers to 2.3.9-nl3, and
upgrade clients if the vulnerable HTTP proxy with ntlm2 authentication
is used.

More information on the vulnerabilities can be found at [4].

References
- ----------
[1] https://openvpn.fox-it.com/
[2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[3]
https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-an
d-polarssl.1.2.19-released
[4]
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN
243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZSlvzAAoJEEEwndWOY1w57AwH/iMrL5rKp+qazbZspfyTFZwq
7RGhWQoML/QpHQeycznQ7zb+b7YXYb/JWFoW95s2VisDeZDv63oDB7QxhqpMW7je
dXdmxV3TM1xW1exjd86EP2eTNG6/80z4ZDJg1rTP3aXPPwBWL77UHKLVTeL49PxK
SjhY+kPhVj9tjgPxYZzQa88R8X34JoLVKo0OhcciyJ48Pk2/6NJnI+rKf5EB337f
bEyPVqat7I4IcPWgTOYurx0V2ljrVJN7xlIj7lm2J4phzuTffl1NC4iUbmYgGBnD
bS7H92wqe2MxZts54QcFVDEKZpiv444qbHoc7vrocSM9BBeZfwOidaRyA0TCG/Q=
=PhV3
-----END PGP SIGNATURE-----