FreeBSD : OpenVPN -- two remote denial-of-service vulnerabilities (04cc7bd2-3686-11e7-aa64-080027ef73ec)

high Nessus Plugin ID 100140

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Samuli Seppanen reports :

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).

Solution

Update the affected packages.

See Also

https://openvpn.net/community-downloads/

http://www.nessus.org/u?5c722f7c

http://www.nessus.org/u?0ade83fb

http://www.nessus.org/u?07d71b0e

http://www.nessus.org/u?6bf3927c

Plugin Details

Severity: High

ID: 100140

File Name: freebsd_pkg_04cc7bd2368611e7aa64080027ef73ec.nasl

Version: 3.8

Type: local

Published: 5/12/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:openvpn, p-cpe:/a:freebsd:freebsd:openvpn-mbedtls, p-cpe:/a:freebsd:freebsd:openvpn-polarssl, p-cpe:/a:freebsd:freebsd:openvpn23, p-cpe:/a:freebsd:freebsd:openvpn23-polarssl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/11/2017

Vulnerability Publication Date: 5/10/2017

Reference Information

CVE: CVE-2017-7478, CVE-2017-7479