Bug 1217073 (CVE-2023-46849) - VUL-0: CVE-2023-46849: openvpn: Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero
Summary: VUL-0: CVE-2023-46849: openvpn: Using the --fragment option in certain config...
Status: IN_PROGRESS
Alias: CVE-2023-46849
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/384598/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46849:5.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-13 09:39 UTC by SMASH SMASH
Modified: 2023-12-20 12:40 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-11-13 09:39:52 UTC 
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46849
https://github.com/OpenVPN/openvpn/issues/400
https://github.com/OpenVPN/openvpn/issues/400#issuecomment-1806071027
Comment 1 Gianluca Gabrielli 2023-11-13 09:51:14 UTC 
According to the v2.6.7 release notes [0] this CVE only affects openvpn >= v2.6.0.
Nevertheless, I can see the affecting code in older version as well.

 - SUSE:SLE-15:Update/openvpn  v2.5.6
 - openSUSE:Factory/openvpn    v2.4.3

In this comment [1], the upstream mentions the two fixing commits [2][3]. Which in turn mention a refactoring commit [4] and another one which I believe is [5], both pushed to v2.6_beta1.

Can you please review them and provide your feedback? If you agree that the above mentioned codestream are affected, please submit the patches.

In any case please submit a version bump to:

 - SUSE:SLE-15-SP4:Update/openvpn  v2.6.6
 

[0] https://github.com/OpenVPN/openvpn/releases/tag/v2.6.7
[1] https://github.com/OpenVPN/openvpn/issues/400#issuecomment-1806071027
[2] https://github.com/OpenVPN/openvpn/commit/57a5cd1e12f193927c9b7429f8778fec7e04c50a
[3] https://github.com/OpenVPN/openvpn/commit/1cfca659244e362f372d9843351257f456392a2f
[4] https://github.com/OpenVPN/openvpn/commit/9a7b95fda56127df6de6fe7c60e08fb5b67a9919
[5] https://github.com/OpenVPN/openvpn/commit/4e9e25a9e547ab6e1f71003947a2d186dc231cb6
Comment 2 Gianluca Gabrielli 2023-11-13 09:55:04 UTC 
(In reply to Gianluca Gabrielli from comment #1)
> Nevertheless, I can see the affecting code in older version as well.
> 
>  - SUSE:SLE-15:Update/openvpn  v2.5.6
>  - openSUSE:Factory/openvpn    v2.4.3
> 
> [...]
>
> In any case please submit a version bump to:
> 
>  - SUSE:SLE-15-SP4:Update/openvpn  v2.6.6

Sorry, I meant:

[...]
Nevertheless, I can see the affecting code in older version as well.

 - SUSE:SLE-15:Update/openvpn      v2.4.3
 - SUSE:SLE-15-SP4:Update/openvpn  v2.5.6

[...]

In any case please submit a version bump to:

 - openSUSE:Factory/openvpn  v2.6.6
[...]
Comment 8 Mohd Saquib 2023-12-06 07:03:25 UTC 
Assigning to security team