Which OpenVPN Fixed Remotely Exploitable Flaws Gone Undetected By Recent Audits?

June 27, 2017 by Pierluigi Paganini

OpenVPN is an open-source software application that implements virtual private network (VPN), it is used for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

OpenVPN uses a custom security protocol
that leverages SSL/TLS for key exchange; it is one of the most popular VPN solutions for protecting anonymity while surfing the Internet.

This year, two security audits were conducted on the OpenVPN software searching for vulnerabilities or loopholes. One of the assessments was conducted by a research team led by the prominent crypt

o expert Dr. Matthew D. Green from the Johns Hopkins University. The researchers searched for both cryptographic weaknesses and memory-related flaws between December 2016 and February 2017. The experts did not find major flaws.

A second audit was conducted by experts at Quarkslab between February and April 2017. The audit focused on OpenVPN for Windows and Linux; both audits were conducted on OpenVPN 2.4.

This second audit allowed the expert to discover a high severity vulnerability tracked as CVE-2017-7478. The flaw is a denial-of-service (DoS) issue that could be exploited by an unauthenticated attacker to crash OpenVPN clients and servers. Researchers at Quarkslab also discovered other low severity flaws, and a medium severity DoS vulnerability tracked as CVE-2017-7479 that can only be exploited by an authenticated attacker.

Both audits revealed multiple security vulnerabilities in the OpenVPN application, but some others remained undetected.

Now a new series of tests were conducted by the researchers Guido Vranken through fuzzing. The expert discovered four bugs in the OpenVPN 2.4.2 that were not discovered during previous audits.

Vranken responsibly disclosed the issues to the OpenVPN development team in May and June; the four vulnerabilities were addressed in the OpenVPN 2.4.3 and OpenVPN 2.3.17 releases this week.

OpenVPN team has no proof that the vulnerabilities had been publicly exploited. Anyway, users urge to update their installs to OpenVPN versions 2.4.3 or 2.3.17 as soon as possible.

The CVE-2017-7508 vulnerability is the most severe issue discovered by the expert; it is a remotely-triggerable ASSERT () on malformed IPv6 packet bug that can be exploited to shut down an OpenVPN server or client. The researcher discovered that the vulnerability is exploitable if IPv6 and –mssfix are enabled and only if the IPv6 networks used inside the VPN are known.

The second vulnerability found by the expert tracked as CVE-2017-7521 is caused by the code that doesn’t release all allocated memory when using the –x509-alt-username option on OpenSSL builds with an extension (argument prefixed with “ext:”).

“Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack.” states the advisory.

“When using the –x509-alt-username option on OpenSSL builds with an extension (argument prefixed with “ext:,” e.g. “ext:subjectAltName”), the code would not free all allocated memory.”

The third vulnerability, tracked as CVE-2017-7521, was a potential double-free in –x509-alt-username that is exploitable on configurations that use the –x509-alt-username option with an x509 extension.

“OpenVPN did not check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free’d twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory.” reads the advisory.

“The problem can only be triggered for configurations that use the –x509-alt-username option with an x509 extension (i.e. the options parameter starts with “ext:”).”

A fourth flaw, tracked as CVE-2017-7522, was a post-authentication remote DoS when using the –x509-track option.

“asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained an NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NUL character.” continues the advisory. “The other way around is not interesting, as servers are allowed to stop a client by design.”

OpenVPN also fixed other bugs, such as a pre-authentication remote crash/information disclosure for clients tracked as CVE-2017-7520.

The vulnerability could be exploited by an attacker to run a man-in-the-middle attack against the client and the proxy to crash or disclose at most 96 bytes of stack memory. The attack could be conducted in the attempt to disclose a portion of memory likely containing the proxy password.

The flaw can be exploited only on clients that use an HTTP proxy with NTLM authentication, clients that don’t use the –HTTP-proxy option with ntlm2 authentication are not affected.

The exploitation of the flaw is unlikely to compromise the security of the OpenVPN tunnel if the password isn’t reused.

The new release also fixed a null-pointer dereference in establish_http_proxy_passthru(), that could lead the client crash “if the peer did not specify the ‘realm’ and/or ‘nonce’ values. These pointers are dereferenced in DigestCalcHA1() and DigestCalcResponse?(); hence, if not set, a null-pointer dereference would occur.”

Further technical details of the vulnerabilities discovered by Vranken were reported in the post titled, “The OpenVPN Post-Audit Bug Bonanza,” written by the researcher.


Posted: June 27, 2017
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.