FreeBSD : OpenVPN -- two remote denial-of-service vulnerabilities (04cc7bd2-3686-11e7-aa64-080027ef73ec)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Samuli Seppanen reports :

OpenVPN v2.4.0 was audited for security vulnerabilities independently
by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded
by Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake'
(P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is
the first that is allowed to carry payload. If that payload is too
big, the OpenVPN server process will stop running due to an ASSERT()
exception. That is also the reason why servers using
tls-auth/tls-crypt are protected against this attack - the P_CONTROL
packet is only accepted if it contains the session ID we specified,
with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter
to roll over, which would lead the server process to hit an ASSERT()
and stop running. To make the server hit the ASSERT(), the client must
first cause the server to send it 2^32 packets (at least 196 GB).

See also :

https://openvpn.net/index.php/open-source/downloads.html
http://www.nessus.org/u?5c722f7c
https://ostif.org/?p=870&preview=true
http://www.nessus.org/u?07d71b0e
http://www.nessus.org/u?6d3aac0a

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 100140 ()

Bugtraq ID:

CVE ID: CVE-2017-7478
CVE-2017-7479

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now