Bugzilla – Bug 1038709
VUL-0: CVE-2017-7478: openvpn: Authenticated user can DoS server by using a big payload in P_CONTROL
Last modified: 2017-10-26 06:13:06 UTC
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits Identified by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access). n authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). This affects OpenVPN 2.3.12 and newer. The problem has been fixed by commit "Don't assert out on receiving too-large control packets": release/2.3: <git-commit-id> release/2.4: <git-commit-id> master: <git-commit-id> OpenVPN versions 2.4.2 (and later) include these fixes.
This is 5774cf4c25e1d8bf4e544702db8f157f111c9d93
This is an autogenerated message for OBS integration: This bug (1038709) was mentioned in https://build.opensuse.org/request/show/500570 42.2 / openvpn https://build.opensuse.org/request/show/500580 42.3 / openvpn
SUSE-SU-2017:1622-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1038709,1038711,1038713,995374 CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): openvpn-2.3.8-16.14.1 SUSE Linux Enterprise Server 12-SP2 (src): openvpn-2.3.8-16.14.1 SUSE Linux Enterprise Desktop 12-SP2 (src): openvpn-2.3.8-16.14.1
openSUSE-SU-2017:1638-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1038709,1038711,1038713,995374 CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479 Sources used: openSUSE Leap 42.2 (src): openvpn-2.3.8-8.6.1
SUSE-SU-2017:1718-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1038709,1038711,1038713,1044947,959511,988522 CVE References: CVE-2017-7478,CVE-2017-7479,CVE-2017-7508,CVE-2017-7520,CVE-2017-7521 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openvpn-openssl1-2.3.2-0.9.1
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1038709,1038711,1038713,1060877,995374 CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openvpn-2.0.9-143.47.3.1
released