Jump to content
Not connected, Your IP: 18.118.193.28
AirVPN
tiger83052

4 important security vulnerabilities discovered in OpenVPN - not found by the two recently completed audits of OpenVPN code

By tiger83052, ... in General & Suggestions

Recommended Posts

tiger83052    4

tiger83052
Posted ...

full article : https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/

 

Summary

"I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how  I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities."

cm0s reacted to this

Share this post

Link to post

Keksjdjdke    35

Keksjdjdke
Posted ...

full article : https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/

 

Summary

"I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how  I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities."

 

Eddie should be updated to use OpenVPN 2.4.3 all the exploits have been fixed in that version security announcement

Share this post

Link to post

BlaatAap66    1

BlaatAap66
Posted ...

This is a mainly a server-side issue! AirVPN should update their servers accordingly as soon as possible! Everything that isn't 2.4.3 or 2.3.17 is affected. Right now I on the status pages I only see various older 2.3 versions and some 2.4.0 servers.

Share this post

Link to post

Keksjdjdke    35

Keksjdjdke
Posted ...

The Linux Mint Update Manager has just offered openvpn "2.3.10-1ubuntu2.1" from the Ubuntu repo. The Changelog includes the fixes from

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

such as CVE-2017-7508.

I have no idea why the version labelling appears so confusing and worrying.

Just Compile the Latest Version OpenVPN 2.4.3 From Source And Install it From Terminal.

https://openvpn.net/index.php/open-source/downloads.html

Compile and install Instructions

Unix:

./configure && make && make-install

Share this post

Link to post

pr1v    36

pr1v
Posted ...

Staff: opinions about an update soon?, If I'm not wrong it's very important to update Eddie and the server with these last vulnerabilities. Thanks.

Share this post

Link to post

Staff    9972

Staff
Posted ...

Hello,

 

Guido Vranken's job has been remarkably good, surely better than QuarkLabs audit funded by OSTIF donors (including AirVPN). Even the scientific and pragmatic approach of Vranken has proved to be substantially superior.

 

It's important to know that there is no vulnerability that affects us except one: through an exploit of a vulnerability, OpenVPN daemons can have memory leaks which on the long run may cause problems to the whole system - even a crash needing a reboot. That would be of course most annoying therefore we are speeding up upgrade of OpenVPN on the servers.

 

Kind regards

rarez, tiger83052, djbclark and 1 other reacted to this

Share this post

Link to post
Guest
This topic is now closed to further replies.
Go To Topic Listing
×
×
  • Create New...