OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2992 advisory.

  - OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability     when key-method 1 is used, possibly resulting in code execution. (CVE-2017-12166)

  - An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2     (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives     before the data channel crypto parameters have been initialized, the victim's connection will be dropped.
    This requires careful timing due to the small time window (usually within a few seconds) between the     victim client connection starting and the server PUSH_REPLY response back to the client. This attack will     only work if Negotiable Cipher Parameters (NCP) is in use. (CVE-2020-11810)

  - OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control     channel data on servers configured with deferred authentication, which can be used to potentially trigger     further information leaks. (CVE-2020-15078)

  - OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins     when more than one of them makes use of deferred authentication replies, which allows an external user to     be granted access with only partially correct credentials. (CVE-2022-0547)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Maintenance release with several minor upstream bugfixes and a security fix related to legacy configurations deploying the deprecated `key-method 1` configuration option ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017- 12166)). From this update of, OpenVPN will use the lz4 compression library from Fedora instead of the upstream bundled library.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. (CVE-2017-12166)

This update for openvpn fixes the following issues :

  - CVE-2017-12166: Lack of bound check in read_key in old     legacy key handling before using values could be used     for a remote buffer overflow (bsc#1060877).

This update was imported from the SUSE:SLE-12:Update update project.

This update for openvpn fixes the following issues :

  - CVE-2017-12166: Lack of bound check in read_key in old     legacy key handling before using values could be used     for a remote buffer overflow (bsc#1060877).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for openvpn fixes the following security issues :

  - CVE-2017-12166: OpenVPN was vulnerable to a buffer     overflow vulnerability when key-method 1 is used,     possibly resulting in code execution. (bsc#1060877).

  - CVE-2016-6329: Now show which ciphers should no longer     be used in openvpn --show-ciphers to avoid the SWEET32     attack (bsc#995374)

  - CVE-2017-7478: OpenVPN was vulnerable to unauthenticated     Denial of Service of server via received large control     packet. (bsc#1038709)

  - CVE-2017-7479: OpenVPN was vulnerable to reachable     assertion when packet-ID counter rolls over resulting     into Denial of Service of server by authenticated     attacker. (bsc#1038711)

  - Some other hardening fixes have also been applied     (bsc#1038713)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the 'key-method 1' implementation which could allow buffer overflow attacks and result in unexpected code execution

Steffan Karger reports :

The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack-based buffer overflow. [...]

Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 and marked for removal in 2.5. This should limit the amount of users impacted by this issue.

ID	Name	Product	Family	Severity
160475	Debian DLA-2992-1 : openvpn - LTS security update	Nessus	Debian Local Security Checks	critical
105881	Fedora 27 : openvpn (2017-5882331351)	Nessus	Fedora Local Security Checks	high
104394	Amazon Linux AMI : openvpn (ALAS-2017-920)	Nessus	Amazon Linux Local Security Checks	high
104238	openSUSE Security Update : openvpn (openSUSE-2017-1202)	Nessus	SuSE Local Security Checks	high
104142	SUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:2839-1)	Nessus	SuSE Local Security Checks	high
104141	SUSE SLES11 Security Update : openvpn (SUSE-SU-2017:2838-1) (SWEET32)	Nessus	SuSE Local Security Checks	high
103701	OpenVPN 2.x < 2.3. 18/ 2.4.x < 2.4.4 Buffer Overflow Vulnerability w/ key-method 1	Nessus	Windows	high
103611	Fedora 26 : openvpn (2017-700915e34f)	Nessus	Fedora Local Security Checks	high
103523	FreeBSD : OpenVPN -- out-of-bounds write in legacy key-method 1 (3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2017-12166

critical

Tenable Plugins

critical

high

high

high

high

high

high

high

high