Bug 1038709 - (CVE-2017-7478) VUL-0: CVE-2017-7478: openvpn: Authenticated user can DoS server by using a big payload in P_CONTROL
(CVE-2017-7478)
VUL-0: CVE-2017-7478: openvpn: Authenticated user can DoS server by using a b...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2017-7478:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-11 14:26 UTC by Johannes Segitz
Modified: 2017-10-26 06:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
vpereira: needinfo? (nirmoy.das)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-05-11 14:26:55 UTC
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Identified by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access).

 n authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response).

This affects OpenVPN 2.3.12 and newer. The problem has been fixed by commit "Don't assert out on receiving too-large control packets":

    release/2.3: <git-commit-id>
    release/2.4: <git-commit-id>
    master: <git-commit-id> 

OpenVPN versions 2.4.2 (and later) include these fixes.
Comment 1 Johannes Segitz 2017-05-11 15:37:00 UTC
This is 5774cf4c25e1d8bf4e544702db8f157f111c9d93
Comment 8 Bernhard Wiedemann 2017-06-02 10:01:52 UTC
This is an autogenerated message for OBS integration:
This bug (1038709) was mentioned in
https://build.opensuse.org/request/show/500570 42.2 / openvpn
https://build.opensuse.org/request/show/500580 42.3 / openvpn
Comment 9 Swamp Workflow Management 2017-06-20 10:11:48 UTC
SUSE-SU-2017:1622-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,995374
CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openvpn-2.3.8-16.14.1
SUSE Linux Enterprise Server 12-SP2 (src):    openvpn-2.3.8-16.14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openvpn-2.3.8-16.14.1
Comment 10 Swamp Workflow Management 2017-06-21 16:12:46 UTC
openSUSE-SU-2017:1638-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,995374
CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479
Sources used:
openSUSE Leap 42.2 (src):    openvpn-2.3.8-8.6.1
Comment 12 Swamp Workflow Management 2017-06-29 16:12:48 UTC
SUSE-SU-2017:1718-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,1044947,959511,988522
CVE References: CVE-2017-7478,CVE-2017-7479,CVE-2017-7508,CVE-2017-7520,CVE-2017-7521
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openvpn-openssl1-2.3.2-0.9.1
Comment 14 Swamp Workflow Management 2017-10-24 13:07:32 UTC
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,1060877,995374
CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
Comment 15 Marcus Meissner 2017-10-26 06:13:06 UTC
released