Jump to content
Not connected, Your IP: 3.145.39.176
tiger83052

4 important security vulnerabilities discovered in OpenVPN - not found by the two recently completed audits of OpenVPN code

Recommended Posts

full article : https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/

 

Summary

"I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how  I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities."

Share this post


Link to post

full article : https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/

 

Summary

"I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how  I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities."

 

Eddie should be updated to use OpenVPN 2.4.3 all the exploits have been fixed in that version security announcement

Share this post


Link to post

This is a mainly a server-side issue! AirVPN should update their servers accordingly as soon as possible! Everything that isn't 2.4.3 or 2.3.17 is affected. Right now I on the status pages I only see various older 2.3 versions and some 2.4.0 servers.

Share this post


Link to post

The Linux Mint Update Manager has just offered openvpn "2.3.10-1ubuntu2.1" from the Ubuntu repo. The Changelog includes the fixes from

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

such as CVE-2017-7508.

I have no idea why the version labelling appears so confusing and worrying.

Just Compile the Latest Version OpenVPN 2.4.3 From Source And Install it From Terminal.

https://openvpn.net/index.php/open-source/downloads.html

Compile and install Instructions

Unix:

./configure && make && make-install

Share this post


Link to post

Staff: opinions about an update soon?, If I'm not wrong it's very important to update Eddie and the server with these last vulnerabilities. Thanks.

Share this post


Link to post

Hello,

 

Guido Vranken's job has been remarkably good, surely better than QuarkLabs audit funded by OSTIF donors (including AirVPN). Even the scientific and pragmatic approach of Vranken has proved to be substantially superior.

 

It's important to know that there is no vulnerability that affects us except one: through an exploit of a vulnerability, OpenVPN daemons can have memory leaks which on the long run may cause problems to the whole system - even a crash needing a reboot. That would be of course most annoying therefore we are speeding up upgrade of OpenVPN on the servers.

 

Kind regards

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...