FreeBSD : OpenVPN -- two remote denial-of-service vulnerabilities (04cc7bd2-3686-11e7-aa64-080027ef73ec)

Medium Nessus Plugin ID 100140


The remote FreeBSD host is missing one or more security-related updates.


Samuli Seppanen reports :

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 100140

File Name: freebsd_pkg_04cc7bd2368611e7aa64080027ef73ec.nasl

Version: $Revision: 3.4 $

Type: local

Published: 2017/05/12

Modified: 2018/01/31

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P


Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:openvpn, p-cpe:/a:freebsd:freebsd:openvpn-mbedtls, p-cpe:/a:freebsd:freebsd:openvpn-polarssl, p-cpe:/a:freebsd:freebsd:openvpn23, p-cpe:/a:freebsd:freebsd:openvpn23-polarssl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2017/05/11

Vulnerability Publication Date: 2017/05/10

Reference Information

CVE: CVE-2017-7478, CVE-2017-7479