Bugzilla – Bug 1060877
VUL-0: CVE-2017-12166: openvpn: OpenVPN CVE-2017-12166: remote buffer overflow
Last modified: 2017-12-01 17:11:27 UTC
CVE-2017-12166 From: Guido Vranken <guidovranken@gmail.com> Subject: [oss-security] OpenVPN CVE-2017-12166: remote buffer overflow Date: Thu, 28 Sep 2017 12:06:51 +0200 This concerns a remote buffer overflow vulnerability in OpenVPN. It has been fixed in OpenVPN 2.4.4 and 2.3.18, released on 26 Sept 2017. It is suspected that only a small number of users is vulnerable to this issue, because it requires having explicitly enabled the outdated ‘key method 1’. The OpenVPN advisory can be found here: https://community.openvpn.net/openvpn/wiki/CVE-2017-12166 In ssl.c, key_method_1_read() calls read_key() which doesn’t perform adequate bounds checks. cipher_length and hmac_length are specified by the peer: 1643 uint8_t cipher_length; 1644 uint8_t hmac_length; 1645 1646 CLEAR(*key); 1647 if (!buf_read(buf, &cipher_length, 1)) 1648 { 1649 goto read_err; 1650 } 1651 if (!buf_read(buf, &hmac_length, 1)) 1652 { 1653 goto read_err; 1654 } And this many bytes of data are then read into key->cipher and key->hmac: 1656 if (!buf_read(buf, key->cipher, cipher_length)) 1657 { 1658 goto read_err; 1659 } 1660 if (!buf_read(buf, key->hmac, hmac_length)) 1661 { 1662 goto read_err; 1663 } In other words, it’s a classic example of bounds check resulting in a buffer overflow. Like my previous set of OpenVPN vulnerabilities, this issue was also found with fuzzing. Guido References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12166 http://seclists.org/oss-sec/2017/q3/563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166 https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1038709,1038711,1038713,1060877,995374 CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openvpn-2.0.9-143.47.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openvpn-2.0.9-143.47.3.1
SUSE-SU-2017:2839-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1060877 CVE References: CVE-2017-12166 Sources used: SUSE OpenStack Cloud 6 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server 12-SP3 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server 12-SP2 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Server 12-LTSS (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openvpn-2.3.8-16.20.1 SUSE Linux Enterprise Desktop 12-SP2 (src): openvpn-2.3.8-16.20.1
release for Leap, done
openSUSE-SU-2017:2892-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1060877 CVE References: CVE-2017-12166 Sources used: openSUSE Leap 42.3 (src): openvpn-2.3.8-14.1 openSUSE Leap 42.2 (src): openvpn-2.3.8-8.13.1
we missed openvpn-openssl1 ( SUSE:SLE-11-SP3:Update/openvpn-openssl1 ) can you ad fixes from the current openvpn round to this and submit?
released
SUSE-SU-2017:3177-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1060877 CVE References: CVE-2017-12166 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openvpn-openssl1-2.3.2-0.10.3.1