ID CVE-2017-7522
Summary OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.
References
Vulnerable Configurations
  • cpe:2.3:a:openvpn:openvpn:2.3.16
    cpe:2.3:a:openvpn:openvpn:2.3.16
  • OpenVPN 2.4.0 Release Candidate 2
    cpe:2.3:a:openvpn:openvpn:2.4.0:rc2
  • OpenVPN 2.4.0 Release Candidate 1
    cpe:2.3:a:openvpn:openvpn:2.4.0:rc1
  • OpenVPN 2.4.0 Beta 2
    cpe:2.3:a:openvpn:openvpn:2.4.0:beta2
  • OpenVPN 2.4.0 Alpha 2
    cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2
  • OpenVPN 2.4.0 Beta 1
    cpe:2.3:a:openvpn:openvpn:2.4.0:beta1
  • OpenVPN 2.4.0
    cpe:2.3:a:openvpn:openvpn:2.4.0
  • OpenVPN 2.4.1
    cpe:2.3:a:openvpn:openvpn:2.4.1
  • cpe:2.3:a:openvpn:openvpn:2.4.2
    cpe:2.3:a:openvpn:openvpn:2.4.2
CVSS
Base: 4.0
Impact:
Exploitability:
CWE CWE-476
CAPEC
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_9F65D38256A411E783E3080027EF73EC.NASL
    description Samuli Seppanen reports : In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the process he found several vulnerabilities and reported them to the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17. This is a list of fixed important vulnerabilities : - Remotely-triggerable ASSERT() on malformed IPv6 packet - Pre-authentication remote crash/information disclosure for clients - Potential double-free in --x509-alt-username - Remote-triggerable memory leaks - Post-authentication remote DoS when using the --x509-track option - NULL pointer dereference in establish_http_proxy_passthru()
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100976
    published 2017-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100976
    title FreeBSD : OpenVPN -- several vulnerabilities (9f65d382-56a4-11e7-83e3-080027ef73ec)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-172-01.NASL
    description New openvpn packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 100964
    published 2017-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100964
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openvpn (SSA:2017-172-01)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-852.NASL
    description OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. (CVE-2017-7508) OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character. (CVE-2017-7522) OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). (CVE-2017-7521) OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. (CVE-2017-7520)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 101064
    published 2017-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101064
    title Amazon Linux AMI : openvpn (ALAS-2017-852)
refmap via4
bid 99230
confirm https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
sectrack 1038768
the hacker news via4
id THN:C1BE07D6F243E68380FCD3A7F0CDD890
last seen 2018-01-27
modified 2017-06-22
published 2017-06-21
reporter Swati Khandelwal
source https://thehackernews.com/2017/06/openvpn-security-flaw_21.html
title Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits
Last major update 27-06-2017 - 09:29
Published 27-06-2017 - 09:29
Last modified 06-07-2017 - 21:29
Back to Top