back to article Researcher calls the fuzz on OpenVPN, uncovers crashy vulns

OpenVPN has patched a bunch of security vulnerabilities that can be exploited to crash the service or, at a pinch, potentially gain remote-code execution. You should update your installations to versions 2.4.3 or 2.3.17 as soon as you can just to be on the safe side. The four holes were found by Guido Vranken, who took a …

  1. Anonymous Coward
    Anonymous Coward

    Details, details...

    "To exploit this, an attacker authenticates and then sends crafted data to crash the server to get remote code execution access."

    Does that authentication have to be successful or not? Because if it does then I think the risks of this exploit are somewhat limited.

    1. foxyshadis

      Re: Details, details...

      Nope, doesn't have to succeed; it's during the processing of the initial certificate exchange that it happens. An actual RCE hasn't been demonstrated, just a crash, but of the sort that an RCE could probably be created from. Another potential RCE, as well as multiple information leakages, are available if the attacker actively manipulates data MITM (which is usually only possible if server verification is turned off).

    2. diodesign (Written by Reg staff) Silver badge

      Re: ShelLuser

      We've tidied up that sentence. Some of the bugs require authentication, some don't. Crucially, remote code execution looks extremely unlikely (thankfully!) - update just in case, of course.

      C.

  2. Christian Berger

    It shows that there is one feature missing

    There's a comparatively high number of OpenVPN installations that are just 1:1 connecting 2 computers to each other. Currently those typically use a shared key which has the advantage of shutting out most of the bugs mentioned here, but has the disadvantage of being able to decrypt all the data, once the key has leaked.

    If there was a feature that would get around that, by using the shared key only for authentication, but using forward secrecy to negotiate its own key, we'd gain a lot more security for little more code.

    1. sitta_europea Silver badge

      Re: It shows that there is one feature missing

      Nope. Set up the tunnel, then ssh over it.

    2. foxyshadis

      Re: It shows that there is one feature missing

      What do you mean, "If there was a feature," just use TLS, don't use the pre-shared key method. It's explicitly recommended against in the documentation. TLS (with or without an additional PSK auth) already gives you perfect forward secrecy and has for over a decade.

      Just stop being lazy and use certificates.

      1. Christian Berger

        Re: It shows that there is one feature missing

        Yeah, but then I'd have used far more of the code, and those bugs would have been relevant.

        TLS simply isn't a very good protocol security wise as it's to complex to be implemented sufficiently error free, and it has the outdated security model of CAs.

  3. Anonymous Coward
    Anonymous Coward

    Quick work - updates are starting to show up everywhere..

    Even Tunnelblick already flagged an update. I'm a bit worried about such agility in that I hope people don't take shortcuts with testing, but in general I'm quite impressed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon