Security flaws in OpenVPN

By Qubic News 6 months agoNo Comments
Home  /  Security  /  Security flaws in OpenVPN

Guido Vranken, a data security researcher, has discovered four dangerous bugs in OpenVPN. Vranken reports using a fuzzer in order to discover them.

Here is a full list of the newly-discovered vulnerabilities with brief explanations:

  1. CVE-2017-7521

By taking advantage of this vulnerability, an attacker can execute a remote server crash and a memory leak. In other words, this vulnerability can be used to drain the server of memory.

  1. CVE-2017-7520

This exploit only affects those who use OpenVPN to connect to a Windows NTLM version 2 proxy. This vulnerability makes it possible to execute a man-in-the-middle type of attack, which could potentially lead to a data leak. The fact that passwords are stored in plain text is another reason for concern.

  1. CVE-2017-7508

Abusing this bug can lead to crashing the OpenVPN server. To do this, an attacker needs to send crafted data to the system.

  1. CVE-2017-7522

Affecting OpenVPN 2.4, this vulnerability can lead to crashes of TLS/PolarSSL-based servers.

Additional information

Vranken also shared some additional insights into his bug-discovering methodology. For one, he believes that using a fuzzer is superior to reviewing the code manually. He said a human mind can only comprehend and retain a limited amount of information at any given time. Compared to specialised software, manual code reviewing simply pales in comparison.

Over the past two years, OpenVPN has been carrying out audits, but for some reason, they have missed these flaws.

To stay safe while using this software, you should not hesitate to download the automatic updates which address these issues.

Category:
  Security
this post was shared 0 times
 000

Leave a Reply

Your email address will not be published.

3 × 4 =