ID 9F65D382-56A4-11E7-83E3-080027EF73EC Type freebsd Reporter FreeBSD Modified 2017-05-19T00:00:00
Description
Samuli Seppänen reports:
In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.
This is a list of fixed important vulnerabilities:
Remotely-triggerable ASSERT() on malformed IPv6 packet
Pre-authentication remote crash/information disclosure for clients
Potential double-free in --x509-alt-username
Remote-triggerable memory leaks
Post-authentication remote DoS when using the --x509-track option
Null-pointer dereference in establish_http_proxy_passthru()
{"id": "9F65D382-56A4-11E7-83E3-080027EF73EC", "bulletinFamily": "unix", "title": "OpenVPN -- several vulnerabilities", "description": "\nSamuli Sepp\u00c3\u00a4nen reports:\n\nIn May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In\n\t the process he found several vulnerabilities and reported them to\n\t the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.\nThis is a list of fixed important vulnerabilities:\n\nRemotely-triggerable ASSERT() on malformed IPv6 packet\nPre-authentication remote crash/information disclosure for clients\nPotential double-free in --x509-alt-username\nRemote-triggerable memory leaks\nPost-authentication remote DoS when using the --x509-track option\nNull-pointer dereference in establish_http_proxy_passthru()\n\n\n", "published": "2017-05-19T00:00:00", "modified": "2017-05-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://vuxml.freebsd.org/freebsd/9f65d382-56a4-11e7-83e3-080027ef73ec.html", "reporter": "FreeBSD", "references": ["https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243"], "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522", "CVE-2017-7512"], "type": "freebsd", "lastseen": "2019-05-29T18:32:15", "edition": 6, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K63104801"]}, {"type": "slackware", "idList": ["SSA-2017-172-01"]}, {"type": "nessus", "idList": ["FEDORA_2017-F8A114CD09.NASL", "OPENVPN_2_4_3.NASL", "OPENSUSE-2017-730.NASL", "UBUNTU_USN-3339-1.NASL", "SLACKWARE_SSA_2017-172-01.NASL", "FEDORA_2017-0639FB1490.NASL", "SUSE_SU-2017-1635-1.NASL", "FREEBSD_PKG_9F65D38256A411E783E3080027EF73EC.NASL", "ALA_ALAS-2017-852.NASL", "FEDORA_2017-5596F2F94D.NASL"]}, {"type": "amazon", "idList": ["ALAS-2017-852"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843225", "OPENVAS:1361412562310872787", "OPENVAS:703900", "OPENVAS:1361412562310890999", "OPENVAS:1361412562310872800", "OPENVAS:1361412562310851572", "OPENVAS:1361412562310891014", "OPENVAS:1361412562310703900"]}, {"type": "thn", "idList": ["THN:C1BE07D6F243E68380FCD3A7F0CDD890"]}, {"type": "hackerone", "idList": ["H1:242579"]}, {"type": "cve", "idList": ["CVE-2017-7512", "CVE-2017-7521", "CVE-2017-7520", "CVE-2017-7522", "CVE-2017-7508"]}, {"type": "archlinux", "idList": ["ASA-201706-27"]}, {"type": "fedora", "idList": ["FEDORA:DF2946016154", "FEDORA:4F7E46076A13", "FEDORA:26D3C6076012"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1680-1", "SUSE-SU-2017:1642-1", "SUSE-SU-2017:1718-1", "SUSE-SU-2017:1635-1"]}, {"type": "ubuntu", "idList": ["USN-3339-1", "USN-3339-2"]}, {"type": "debian", "idList": ["DEBIAN:DLA-999-1:32E2F", "DEBIAN:BSA-116:60A13", "DEBIAN:DSA-3900-1:0112E", "DEBIAN:DLA-1014-1:37017"]}, {"type": "threatpost", "idList": ["THREATPOST:738D3E12C5D9374D46CA1BEF0D15A79C"]}, {"type": "redhat", "idList": ["RHSA-2017:1712"]}], "modified": "2019-05-29T18:32:15", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2019-05-29T18:32:15", "rev": 2}, "vulnersScore": 5.8}, "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "openvpn", "packageVersion": "2.3.17"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "openvpn-mbedtls", "packageVersion": "2.4.3"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "openvpn-polarssl", "packageVersion": "2.3.17"}], "scheme": null}
{"f5": [{"lastseen": "2017-08-04T02:22:56", "bulletinFamily": "software", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.3.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-08-04T00:17:00", "published": "2017-08-04T00:17:00", "href": "https://support.f5.com/csp/article/K63104801", "id": "F5:K63104801", "title": "OpenVPN vulnerabilities CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, and CVE-2017-7522", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508", "CVE-2017-7512", "CVE-2017-7520", "CVE-2017-7521", "CVE-2017-7522"], "description": "New openvpn packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/openvpn-2.3.17-i586-1_slack14.2.txz: Upgraded.\n This update fixes several denial of service issues discovered\n by Guido Vranken.\n For more information, see:\n https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7512\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openvpn-2.3.17-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openvpn-2.3.17-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openvpn-2.3.17-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openvpn-2.3.17-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openvpn-2.3.17-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openvpn-2.3.17-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openvpn-2.3.17-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openvpn-2.3.17-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openvpn-2.3.17-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openvpn-2.3.17-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openvpn-2.3.17-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openvpn-2.3.17-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openvpn-2.4.3-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openvpn-2.4.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n326003ba4359c994d9d9451d8c811a7c openvpn-2.3.17-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n38d3e975bd173066d417c00817b1926f openvpn-2.3.17-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n9d90bff4b3934035000e0a637dcd5870 openvpn-2.3.17-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nbf3e8104d8f53c2a5cabbde3cd1175f3 openvpn-2.3.17-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n4394a24fc1745b619a6d640da18a17df openvpn-2.3.17-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n7231d5dc636ccf47fca8fb60d92c6e9c openvpn-2.3.17-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n37a195492c74384fa7a95f9b8c5d528d openvpn-2.3.17-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ndc3a2cdf61c2b1d796ed0663f9deeb77 openvpn-2.3.17-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n601bfdb72e6fef2a0d8108ea33f5cf5d openvpn-2.3.17-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n6329704b8a952f3de8b64fe3b294d5ab openvpn-2.3.17-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n0d4cb74aab8225c1967f37c9e1bff8f4 openvpn-2.3.17-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nf70fdb325b03da7b18bcfadda367e7b9 openvpn-2.3.17-x86_64-1_slack14.2.txz\n\nSlackware -current package:\ne8aec8c39f95837fd4632167e7844a65 n/openvpn-2.4.3-i586-1.txz\n\nSlackware x86_64 -current package:\nb580604ff3b78acd74805c41d4c2bcc8 n/openvpn-2.4.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openvpn-2.3.17-i586-1_slack14.2.txz", "modified": "2017-06-21T18:40:28", "published": "2017-06-21T18:40:28", "id": "SSA-2017-172-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.569890", "type": "slackware", "title": "[slackware-security] openvpn", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:10:18", "description": "New openvpn packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-22T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openvpn (SSA:2017-172-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522", "CVE-2017-7512"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "p-cpe:/a:slackware:slackware_linux:openvpn", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2017-172-01.NASL", "href": "https://www.tenable.com/plugins/nessus/100964", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-172-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100964);\n script_version(\"$Revision: 3.5 $\");\n script_cvs_date(\"$Date: 2018/01/26 17:50:31 $\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7512\", \"CVE-2017-7520\", \"CVE-2017-7521\", \"CVE-2017-7522\");\n script_xref(name:\"SSA\", value:\"2017-172-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openvpn (SSA:2017-172-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New openvpn packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.569890\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7420c6e1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.3.17\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openvpn\", pkgver:\"2.4.3\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"openvpn\", pkgver:\"2.4.3\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:56:41", "description": "Samuli Seppanen reports :\n\nIn May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the\nprocess he found several vulnerabilities and reported them to the\nOpenVPN project. [...] The first releases to have these fixes are\nOpenVPN 2.4.3 and 2.3.17.\n\nThis is a list of fixed important vulnerabilities :\n\n- Remotely-triggerable ASSERT() on malformed IPv6 packet\n\n- Pre-authentication remote crash/information disclosure for clients\n\n- Potential double-free in --x509-alt-username\n\n- Remote-triggerable memory leaks\n\n- Post-authentication remote DoS when using the --x509-track option\n\n- NULL pointer dereference in establish_http_proxy_passthru()", "edition": 33, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-22T00:00:00", "title": "FreeBSD : OpenVPN -- several vulnerabilities (9f65d382-56a4-11e7-83e3-080027ef73ec)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522", "CVE-2017-7512"], "modified": "2017-06-22T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openvpn-polarssl", "p-cpe:/a:freebsd:freebsd:openvpn-mbedtls", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:openvpn"], "id": "FREEBSD_PKG_9F65D38256A411E783E3080027EF73EC.NASL", "href": "https://www.tenable.com/plugins/nessus/100976", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100976);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7512\", \"CVE-2017-7520\", \"CVE-2017-7521\", \"CVE-2017-7522\");\n\n script_name(english:\"FreeBSD : OpenVPN -- several vulnerabilities (9f65d382-56a4-11e7-83e3-080027ef73ec)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Samuli Seppanen reports :\n\nIn May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the\nprocess he found several vulnerabilities and reported them to the\nOpenVPN project. [...] The first releases to have these fixes are\nOpenVPN 2.4.3 and 2.3.17.\n\nThis is a list of fixed important vulnerabilities :\n\n- Remotely-triggerable ASSERT() on malformed IPv6 packet\n\n- Pre-authentication remote crash/information disclosure for clients\n\n- Potential double-free in --x509-alt-username\n\n- Remote-triggerable memory leaks\n\n- Post-authentication remote DoS when using the --x509-track option\n\n- NULL pointer dereference in establish_http_proxy_passthru()\"\n );\n # https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af9c7e6f\"\n );\n # https://vuxml.freebsd.org/freebsd/9f65d382-56a4-11e7-83e3-080027ef73ec.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?20eadacf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openvpn-mbedtls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openvpn-polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"openvpn<2.3.17\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openvpn>=2.4.0<2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openvpn-mbedtls<2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"openvpn-polarssl<2.3.17\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:33:12", "description": "According to its self-reported version number, the version of OpenVPN installed on the remote Windows host is 2.3.x \nprior to 2.3.17 or 2.4.x prior to 2.4.3. It is, therefore, affected by multiple denial of service (DoS) vulnerabilities \ndue to invalid input validation. An unauthenticated, remote attacker can exploit this issue, by sending malformed input,\nto cause the application to stop responding.", "edition": 17, "cvss3": {"score": 7.4, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H"}, "published": "2019-05-17T00:00:00", "title": "OpenVPN 2.3.x < 2.3.17 & 2.4.x < 2.4.3 Multiple Denial of Service Vulnerabilites (Windows)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:openvpn:openvpn"], "id": "OPENVPN_2_4_3.NASL", "href": "https://www.tenable.com/plugins/nessus/125262", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125262);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/30 13:24:47\");\n\n script_cve_id(\n \"CVE-2017-7508\",\n \"CVE-2017-7520\",\n \"CVE-2017-7521\",\n \"CVE-2017-7522\"\n );\n script_bugtraq_id(99230);\n\n script_name(english:\"OpenVPN 2.3.x < 2.3.17 & 2.4.x < 2.4.3 Multiple Denial of Service Vulnerabilites (Windows)\");\n script_summary(english:\"Checks the version of OpenVPN.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of OpenVPN installed on the remote Windows host is 2.3.x \nprior to 2.3.17 or 2.4.x prior to 2.4.3. It is, therefore, affected by multiple denial of service (DoS) vulnerabilities \ndue to invalid input validation. An unauthenticated, remote attacker can exploit this issue, by sending malformed input,\nto cause the application to stop responding.\");\n # https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?af9c7e6f\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to OpenVPN 2.3.17 / 2.4.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7520\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n \n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openvpn:openvpn\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openvpn_server_installed.nbin\");\n script_require_keys(\"installed_sw/OpenVPN Server\");\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'OpenVPN Server');\n\nconstraints = [\n {'min_version': '2.3.0', 'fixed_version': '2.3.17'},\n {'min_version': '2.4.0', 'fixed_version': '2.4.3'}\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-01-01T01:19:36", "description": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\nremote denial-of-service when receiving malformed IPv6 packet.\n(CVE-2017-7508)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\ndenial-of-service by authenticated remote attacker via sending a\ncertificate with an embedded NULL character. (CVE-2017-7522)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\nremote denial-of-service due to memory exhaustion caused by memory\nleaks and double-free issue in extract_x509_extension().\n(CVE-2017-7521)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\ndenial-of-service and/or possibly sensitive memory leak triggered by\nman-in-the-middle attacker. (CVE-2017-7520)", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-06-28T00:00:00", "title": "Amazon Linux AMI : openvpn (ALAS-2017-852)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:openvpn-debuginfo", "p-cpe:/a:amazon:linux:openvpn-devel", "p-cpe:/a:amazon:linux:openvpn", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-852.NASL", "href": "https://www.tenable.com/plugins/nessus/101064", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-852.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101064);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\", \"CVE-2017-7522\");\n script_xref(name:\"ALAS\", value:\"2017-852\");\n\n script_name(english:\"Amazon Linux AMI : openvpn (ALAS-2017-852)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\nremote denial-of-service when receiving malformed IPv6 packet.\n(CVE-2017-7508)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\ndenial-of-service by authenticated remote attacker via sending a\ncertificate with an embedded NULL character. (CVE-2017-7522)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\nremote denial-of-service due to memory exhaustion caused by memory\nleaks and double-free issue in extract_x509_extension().\n(CVE-2017-7521)\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to\ndenial-of-service and/or possibly sensitive memory leak triggered by\nman-in-the-middle attacker. (CVE-2017-7520)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-852.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update openvpn' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openvpn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openvpn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"openvpn-2.4.3-1.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openvpn-debuginfo-2.4.3-1.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openvpn-devel-2.4.3-1.19.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn / openvpn-debuginfo / openvpn-devel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T14:25:58", "description": "This update for openvpn fixes the following issues :\n\n - Some parts of the certificate-parsing code did not\n always clear all allocated memory. This would have\n allowed clients to leak a few bytes of memory for each\n connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947,\n CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have\n resulted in some buffers being free()d twice, and this\n issue could have potentially been triggered remotely by\n a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy\n could cause the client to crash or disclose at most 96\n bytes of stack memory. The disclosed stack memory was\n likely to contain the proxy password. If the proxy\n password had not been reused, this was unlikely to\n compromise the security of the OpenVPN tunnel itself.\n Clients who did not use the\n\n --http-proxy option with ntlm2 authentication were not\n affected. [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a\n malformed IPv6 packet. That issue could have been abused\n to remotely shutdown an openvpn server or client, if\n IPv6 and --mssfix were enabled and if the IPv6 networks\n used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-06-22T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:1635-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "modified": "2017-06-22T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openvpn-debugsource", "p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin", "p-cpe:/a:novell:suse_linux:openvpn-debuginfo", "p-cpe:/a:novell:suse_linux:openvpn", "p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin-debuginfo"], "id": "SUSE_SU-2017-1635-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1635-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100985);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:1635-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openvpn fixes the following issues :\n\n - Some parts of the certificate-parsing code did not\n always clear all allocated memory. This would have\n allowed clients to leak a few bytes of memory for each\n connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947,\n CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have\n resulted in some buffers being free()d twice, and this\n issue could have potentially been triggered remotely by\n a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy\n could cause the client to crash or disclose at most 96\n bytes of stack memory. The disclosed stack memory was\n likely to contain the proxy password. If the proxy\n password had not been reused, this was unlikely to\n compromise the security of the OpenVPN tunnel itself.\n Clients who did not use the\n\n --http-proxy option with ntlm2 authentication were not\n affected. [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a\n malformed IPv6 packet. That issue could have been abused\n to remotely shutdown an openvpn server or client, if\n IPv6 and --mssfix were enabled and if the IPv6 networks\n used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1044947\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7508/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7520/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7521/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171635-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?abcde14b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1011=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1011=1\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-1011=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1011=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1011=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1011=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-1011=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1011=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openvpn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openvpn-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openvpn-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openvpn-auth-pam-plugin-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openvpn-auth-pam-plugin-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openvpn-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openvpn-debugsource-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openvpn-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openvpn-auth-pam-plugin-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openvpn-auth-pam-plugin-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openvpn-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openvpn-debugsource-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-auth-pam-plugin-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-auth-pam-plugin-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-debugsource-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-debuginfo-2.3.8-16.17.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openvpn-debugsource-2.3.8-16.17.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:10:58", "description": "Updates to the latest upstream OpenVPN 2.3.17, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-07-03T00:00:00", "title": "Fedora 24 : openvpn (2017-5596f2f94d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "modified": "2017-07-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:24", "p-cpe:/a:fedoraproject:fedora:openvpn"], "id": "FEDORA_2017-5596F2F94D.NASL", "href": "https://www.tenable.com/plugins/nessus/101180", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-5596f2f94d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101180);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_xref(name:\"FEDORA\", value:\"2017-5596f2f94d\");\n\n script_name(english:\"Fedora 24 : openvpn (2017-5596f2f94d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updates to the latest upstream OpenVPN 2.3.17, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5596f2f94d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"openvpn-2.3.17-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:15:12", "description": "Updates to the latest upstream OpenVPN 2.4.3, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This\nupdate also re-enables automatic restart of OpenVPN on the next\nupdates. For this update, the restart needs to be done manually.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : openvpn (2017-f8a114cd09)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openvpn", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-F8A114CD09.NASL", "href": "https://www.tenable.com/plugins/nessus/101748", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-f8a114cd09.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101748);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_xref(name:\"FEDORA\", value:\"2017-f8a114cd09\");\n\n script_name(english:\"Fedora 26 : openvpn (2017-f8a114cd09)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updates to the latest upstream OpenVPN 2.4.3, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This\nupdate also re-enables automatic restart of OpenVPN on the next\nupdates. For this update, the restart needs to be done manually.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8a114cd09\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"openvpn-2.4.3-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-06-05T11:15:25", "description": "This update for openvpn fixes the following issues :\n\n - Some parts of the certificate-parsing code did not\n always clear all allocated memory. This would have\n allowed clients to leak a few bytes of memory for each\n connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947,\n CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have\n resulted in some buffers being free()d twice, and this\n issue could have potentially been triggered remotely by\n a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy\n could cause the client to crash or disclose at most 96\n bytes of stack memory. The disclosed stack memory was\n likely to contain the proxy password. If the proxy\n password had not been reused, this was unlikely to\n compromise the security of the OpenVPN tunnel itself.\n Clients who did not use the --http-proxy option with\n ntlm2 authentication were not affected. [bsc#1044947,\n CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a\n malformed IPv6 packet. That issue could have been abused\n to remotely shutdown an openvpn server or client, if\n IPv6 and --mssfix were enabled and if the IPv6 networks\n used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 22, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-06-30T00:00:00", "title": "openSUSE Security Update : openvpn (openSUSE-2017-730)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "modified": "2017-06-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:openvpn-debuginfo", "p-cpe:/a:novell:opensuse:openvpn-debugsource", "p-cpe:/a:novell:opensuse:openvpn", "p-cpe:/a:novell:opensuse:openvpn-devel", "p-cpe:/a:novell:opensuse:openvpn-auth-pam-plugin-debuginfo", "p-cpe:/a:novell:opensuse:openvpn-down-root-plugin", "p-cpe:/a:novell:opensuse:openvpn-down-root-plugin-debuginfo", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:openvpn-auth-pam-plugin"], "id": "OPENSUSE-2017-730.NASL", "href": "https://www.tenable.com/plugins/nessus/101131", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-730.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101131);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n\n script_name(english:\"openSUSE Security Update : openvpn (openSUSE-2017-730)\");\n script_summary(english:\"Check for the openSUSE-2017-730 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openvpn fixes the following issues :\n\n - Some parts of the certificate-parsing code did not\n always clear all allocated memory. This would have\n allowed clients to leak a few bytes of memory for each\n connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947,\n CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have\n resulted in some buffers being free()d twice, and this\n issue could have potentially been triggered remotely by\n a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy\n could cause the client to crash or disclose at most 96\n bytes of stack memory. The disclosed stack memory was\n likely to contain the proxy password. If the proxy\n password had not been reused, this was unlikely to\n compromise the security of the OpenVPN tunnel itself.\n Clients who did not use the --http-proxy option with\n ntlm2 authentication were not affected. [bsc#1044947,\n CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a\n malformed IPv6 packet. That issue could have been abused\n to remotely shutdown an openvpn server or client, if\n IPv6 and --mssfix were enabled and if the IPv6 networks\n used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1044947\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-auth-pam-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-auth-pam-plugin-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-down-root-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openvpn-down-root-plugin-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-auth-pam-plugin-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-auth-pam-plugin-debuginfo-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-debuginfo-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-debugsource-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-devel-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-down-root-plugin-2.3.8-8.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openvpn-down-root-plugin-debuginfo-2.3.8-8.10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn / openvpn-auth-pam-plugin / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:15:08", "description": "Updates to the latest upstream OpenVPN 2.4.3, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This\nupdate also re-enables automatic restart of OpenVPN on the next\nupdates. For this update, the restart needs to be done manually.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 23, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-06-26T00:00:00", "title": "Fedora 25 : openvpn (2017-0639fb1490)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "modified": "2017-06-26T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:openvpn"], "id": "FEDORA_2017-0639FB1490.NASL", "href": "https://www.tenable.com/plugins/nessus/101036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0639fb1490.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101036);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_xref(name:\"FEDORA\", value:\"2017-0639fb1490\");\n\n script_name(english:\"Fedora 25 : openvpn (2017-0639fb1490)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updates to the latest upstream OpenVPN 2.4.3, containing security\nupdates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This\nupdate also re-enables automatic restart of OpenVPN on the next\nupdates. For this update, the restart needs to be done manually.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0639fb1490\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"openvpn-2.4.3-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T06:45:25", "description": "Karthikeyan Bhargavan and Gaetan Leurent discovered that 64-bit block\nciphers are vulnerable to a birthday attack. A remote attacker could\npossibly use this issue to recover cleartext data. Fixing this issue\nrequires a configuration change to switch to a different cipher. This\nupdate adds a warning to the log file when a 64-bit block cipher is in\nuse. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and\nUbuntu 16.10. (CVE-2016-6329)\n\nIt was discovered that OpenVPN incorrectly handled rollover of packet\nids. An authenticated remote attacker could use this issue to cause\nOpenVPN to crash, resulting in a denial of service. This issue only\naffected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.\n(CVE-2017-7479)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain\nmalformed IPv6 packets. A remote attacker could use this issue to\ncause OpenVPN to crash, resulting in a denial of service.\n(CVE-2017-7508)\n\nGuido Vranken discovered that OpenVPN incorrectly handled memory. A\nremote attacker could use this issue to cause OpenVPN to crash,\nresulting in a denial of service. (CVE-2017-7512)\n\nGuido Vranken discovered that OpenVPN incorrectly handled an HTTP\nproxy with NTLM authentication. A remote attacker could use this issue\nto cause OpenVPN clients to crash, resulting in a denial of service,\nor possibly expose sensitive memory contents. (CVE-2017-7520)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain x509\nextensions. A remote attacker could use this issue to cause OpenVPN to\ncrash, resulting in a denial of service. (CVE-2017-7521).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 37, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-23T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : openvpn vulnerabilities (USN-3339-1) (SWEET32)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2016-6329", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479", "CVE-2017-7512"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:openvpn", "cpe:/o:canonical:ubuntu_linux:17.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3339-1.NASL", "href": "https://www.tenable.com/plugins/nessus/101024", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3339-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101024);\n script_version(\"3.15\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2016-6329\", \"CVE-2017-7479\", \"CVE-2017-7508\", \"CVE-2017-7512\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_xref(name:\"USN\", value:\"3339-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : openvpn vulnerabilities (USN-3339-1) (SWEET32)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Karthikeyan Bhargavan and Gaetan Leurent discovered that 64-bit block\nciphers are vulnerable to a birthday attack. A remote attacker could\npossibly use this issue to recover cleartext data. Fixing this issue\nrequires a configuration change to switch to a different cipher. This\nupdate adds a warning to the log file when a 64-bit block cipher is in\nuse. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and\nUbuntu 16.10. (CVE-2016-6329)\n\nIt was discovered that OpenVPN incorrectly handled rollover of packet\nids. An authenticated remote attacker could use this issue to cause\nOpenVPN to crash, resulting in a denial of service. This issue only\naffected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.\n(CVE-2017-7479)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain\nmalformed IPv6 packets. A remote attacker could use this issue to\ncause OpenVPN to crash, resulting in a denial of service.\n(CVE-2017-7508)\n\nGuido Vranken discovered that OpenVPN incorrectly handled memory. A\nremote attacker could use this issue to cause OpenVPN to crash,\nresulting in a denial of service. (CVE-2017-7512)\n\nGuido Vranken discovered that OpenVPN incorrectly handled an HTTP\nproxy with NTLM authentication. A remote attacker could use this issue\nto cause OpenVPN clients to crash, resulting in a denial of service,\nor possibly expose sensitive memory contents. (CVE-2017-7520)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain x509\nextensions. A remote attacker could use this issue to cause OpenVPN to\ncrash, resulting in a denial of service. (CVE-2017-7521).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3339-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openvpn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openvpn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|16\\.10|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 16.10 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openvpn\", pkgver:\"2.3.2-7ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"openvpn\", pkgver:\"2.3.10-1ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"openvpn\", pkgver:\"2.3.11-1ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"openvpn\", pkgver:\"2.4.0-4ubuntu1.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openvpn\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:13:37", "description": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-27T13:29:00", "title": "CVE-2017-7522", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7522"], "modified": "2017-07-07T01:29:00", "cpe": ["cpe:/a:openvpn:openvpn:2.4.2", "cpe:/a:openvpn:openvpn:2.4.1", "cpe:/a:openvpn:openvpn:2.4.0", "cpe:/a:openvpn:openvpn:2.3.16"], "id": "CVE-2017-7522", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7522", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:37", "description": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-27T13:29:00", "title": "CVE-2017-7508", "type": "cve", "cwe": ["CWE-617"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7508"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:openvpn:openvpn:2.4.2", "cpe:/a:openvpn:openvpn:2.4.1", "cpe:/a:openvpn:openvpn:2.4.0", "cpe:/a:openvpn:openvpn:2.3.16"], "id": "CVE-2017-7508", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7508", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:49", "description": "Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2.0.0 would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. NOTE: some sources have a typo in which CVE-2017-7512 maps to an OpenVPN vulnerability. The proper CVE ID for that OpenVPN vulnerability is CVE-2017-7521. Specifically, CVE-2017-7521 is the correct CVE ID for TWO closely related findings in OpenVPN. Any source that lists BOTH CVE-2017-7512 and CVE-2017-7521 for OpenVPN should have listed ONLY CVE-2017-7521.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-07T22:29:00", "title": "CVE-2017-7512", "type": "cve", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7512"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:redhat:3scale_api_management_platform:-"], "id": "CVE-2017-7512", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7512", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redhat:3scale_api_management_platform:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:37", "description": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-27T13:29:00", "title": "CVE-2017-7521", "type": "cve", "cwe": ["CWE-772", "CWE-415"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7521"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:openvpn:openvpn:2.4.2", "cpe:/a:openvpn:openvpn:2.4.1", "cpe:/a:openvpn:openvpn:2.4.0", "cpe:/a:openvpn:openvpn:2.3.16"], "id": "CVE-2017-7521", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7521", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:37", "description": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2017-06-27T13:29:00", "title": "CVE-2017-7520", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7520"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:openvpn:openvpn:2.4.2", "cpe:/a:openvpn:openvpn:2.4.1", "cpe:/a:openvpn:openvpn:2.4.0", "cpe:/a:openvpn:openvpn:2.3.16"], "id": "CVE-2017-7520", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7520", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-01T00:00:00", "id": "OPENVAS:1361412562310872800", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872800", "type": "openvas", "title": "Fedora Update for openvpn FEDORA-2017-5596f2f94d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openvpn FEDORA-2017-5596f2f94d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872800\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-01 05:25:51 +0200 (Sat, 01 Jul 2017)\");\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\", \"CVE-2017-7522\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openvpn FEDORA-2017-5596f2f94d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openvpn'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openvpn on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-5596f2f94d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUTW46MGXJWXMX5VDLCEVIUHWZRXPCYK\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"openvpn\", rpm:\"openvpn~2.3.17~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-06-24T00:00:00", "id": "OPENVAS:1361412562310872787", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872787", "type": "openvas", "title": "Fedora Update for openvpn FEDORA-2017-0639fb1490", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openvpn FEDORA-2017-0639fb1490\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872787\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-24 07:31:13 +0200 (Sat, 24 Jun 2017)\");\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\", \"CVE-2017-7522\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openvpn FEDORA-2017-0639fb1490\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openvpn'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openvpn on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0639fb1490\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWTVFFSR6XK4GJBQ3UH5HACTIDBYSQRN\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"openvpn\", rpm:\"openvpn~2.4.3~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T18:28:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-06-26T00:00:00", "id": "OPENVAS:1361412562310851572", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851572", "type": "openvas", "title": "openSUSE: Security Advisory for openvpn (openSUSE-SU-2017:1680-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851572\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-26 18:54:41 +0200 (Mon, 26 Jun 2017)\");\n script_cve_id(\"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for openvpn (openSUSE-SU-2017:1680-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openvpn'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for openvpn fixes the following issues:\n\n - Some parts of the certificate-parsing code did not always clear all\n allocated memory. This would have allowed clients to leak a few bytes of\n memory for each connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947, CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have resulted in some\n buffers being free()d twice, and this issue could have potentially been\n triggered remotely by a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy could cause the\n client to crash or disclose at most 96 bytes of stack memory. The\n disclosed stack memory was likely to contain the proxy password. If the\n proxy password had not been reused, this was unlikely to compromise the\n security of the OpenVPN tunnel itself. Clients who did not use the\n\n - -http-proxy option with ntlm2 authentication were not affected.\n [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a malformed IPv6\n packet. That issue could have been abused to remotely shutdown an\n openvpn server or client, if IPv6 and --mssfix were enabled and if the\n IPv6 networks used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\n\n This update was imported from the SUSE:SLE-12:Update update project.\");\n\n script_tag(name:\"affected\", value:\"openvpn on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1680-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"openvpn\", rpm:\"openvpn~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-auth-pam-plugin\", rpm:\"openvpn-auth-pam-plugin~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-auth-pam-plugin-debuginfo\", rpm:\"openvpn-auth-pam-plugin-debuginfo~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-debuginfo\", rpm:\"openvpn-debuginfo~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-debugsource\", rpm:\"openvpn-debugsource~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-devel\", rpm:\"openvpn-devel~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-down-root-plugin\", rpm:\"openvpn-down-root-plugin~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openvpn-down-root-plugin-debuginfo\", rpm:\"openvpn-down-root-plugin-debuginfo~2.3.8~8.10.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2016-6329", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479", "CVE-2017-7512"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-06-23T00:00:00", "id": "OPENVAS:1361412562310843225", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843225", "type": "openvas", "title": "Ubuntu Update for openvpn USN-3339-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for openvpn USN-3339-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843225\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-23 07:17:19 +0200 (Fri, 23 Jun 2017)\");\n script_cve_id(\"CVE-2016-6329\", \"CVE-2017-7479\", \"CVE-2017-7508\", \"CVE-2017-7512\",\n \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for openvpn USN-3339-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openvpn'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Karthikeyan Bhargavan and Gaë tan\n Leurent discovered that 64-bit block ciphers are vulnerable to a birthday\n attack. A remote attacker could possibly use this issue to recover cleartext\n data. Fixing this issue requires a configuration change to switch to a different\n cipher. This update adds a warning to the log file when a 64-bit block cipher is\n in use. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu\n 16.10. (CVE-2016-6329) It was discovered that OpenVPN incorrectly handled\n rollover of packet ids. An authenticated remote attacker could use this issue to\n cause OpenVPN to crash, resulting in a denial of service. This issue only\n affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-7479)\n Guido Vranken discovered that OpenVPN incorrectly handled certain malformed IPv6\n packets. A remote attacker could use this issue to cause OpenVPN to crash,\n resulting in a denial of service. (CVE-2017-7508) Guido Vranken discovered that\n OpenVPN incorrectly handled memory. A remote attacker could use this issue to\n cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7512) Guido\n Vranken discovered that OpenVPN incorrectly handled an HTTP proxy with NTLM\n authentication. A remote attacker could use this issue to cause OpenVPN clients\n to crash, resulting in a denial of service, or possibly expose sensitive memory\n contents. (CVE-2017-7520) Guido Vranken discovered that OpenVPN incorrectly\n handled certain x509 extensions. A remote attacker could use this issue to cause\n OpenVPN to crash, resulting in a denial of service. (CVE-2017-7521)\");\n script_tag(name:\"affected\", value:\"openvpn on Ubuntu 17.04,\n Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3339-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3339-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.3.2-7ubuntu3.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.4.0-4ubuntu1.3\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.3.11-1ubuntu2.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.3.10-1ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479"], "description": "Several issues were discovered in openvpn, a virtual private network\napplication.\n\nCVE-2017-7479\nIt was discovered that openvpn did not properly handle the\nrollover of packet identifiers. This would allow an authenticated\nremote attacker to cause a denial-of-service via application\ncrash.\n\nCVE-2017-7508\nGuido Vranken discovered that openvpn did not properly handle\nspecific malformed IPv6 packets. This would allow a remote\nattacker to cause a denial-of-service via application crash.\n\nCVE-2017-7520\nGuido Vranken discovered that openvpn did not properly handle\nclients connecting to an HTTP proxy with NTLMv2\nauthentication. This would allow a remote attacker to cause a\ndenial-of-service via application crash, or potentially leak\nsensitive information like the user", "modified": "2019-03-18T00:00:00", "published": "2017-06-27T00:00:00", "id": "OPENVAS:1361412562310703900", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703900", "type": "openvas", "title": "Debian Security Advisory DSA 3900-1 (openvpn - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3900.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3900-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703900\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-7479\", \"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_name(\"Debian Security Advisory DSA 3900-1 (openvpn - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-27 00:00:00 +0200 (Tue, 27 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3900.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|9|10)\");\n script_tag(name:\"affected\", value:\"openvpn on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 2.3.4-5+deb8u2.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.4.0-6+deb9u1.\n\nFor the testing distribution (buster), these problems have been fixed\nin version 2.4.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.3-1.\n\nWe recommend that you upgrade your openvpn packages.\");\n script_tag(name:\"summary\", value:\"Several issues were discovered in openvpn, a virtual private network\napplication.\n\nCVE-2017-7479\nIt was discovered that openvpn did not properly handle the\nrollover of packet identifiers. This would allow an authenticated\nremote attacker to cause a denial-of-service via application\ncrash.\n\nCVE-2017-7508\nGuido Vranken discovered that openvpn did not properly handle\nspecific malformed IPv6 packets. This would allow a remote\nattacker to cause a denial-of-service via application crash.\n\nCVE-2017-7520\nGuido Vranken discovered that openvpn did not properly handle\nclients connecting to an HTTP proxy with NTLMv2\nauthentication. This would allow a remote attacker to cause a\ndenial-of-service via application crash, or potentially leak\nsensitive information like the user's proxy password.\n\nCVE-2017-7521\nGuido Vranken discovered that openvpn did not properly handle\nsome x509 extensions. This would allow a remote attacker to cause\na denial-of-service via application crash.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.3.4-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.4.0-6+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.4.3-1\", rls:\"DEB10\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:57:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479"], "description": "Several issues were discovered in openvpn, a virtual private network\napplication.\n\nCVE-2017-7479 \nIt was discovered that openvpn did not properly handle the\nrollover of packet identifiers. This would allow an authenticated\nremote attacker to cause a denial-of-service via application\ncrash.\n\nCVE-2017-7508 \nGuido Vranken discovered that openvpn did not properly handle\nspecific malformed IPv6 packets. This would allow a remote\nattacker to cause a denial-of-service via application crash.\n\nCVE-2017-7520 \nGuido Vranken discovered that openvpn did not properly handle\nclients connecting to an HTTP proxy with NTLMv2\nauthentication. This would allow a remote attacker to cause a\ndenial-of-service via application crash, or potentially leak\nsensitive information like the user", "modified": "2017-07-07T00:00:00", "published": "2017-06-27T00:00:00", "id": "OPENVAS:703900", "href": "http://plugins.openvas.org/nasl.php?oid=703900", "type": "openvas", "title": "Debian Security Advisory DSA 3900-1 (openvpn - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3900.nasl 6618 2017-07-07 14:17:52Z cfischer $\n# Auto-generated from advisory DSA 3900-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703900);\n script_version(\"$Revision: 6618 $\");\n script_cve_id(\"CVE-2017-7479\", \"CVE-2017-7508\", \"CVE-2017-7520\", \"CVE-2017-7521\");\n script_name(\"Debian Security Advisory DSA 3900-1 (openvpn - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 16:17:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-27 00:00:00 +0200 (Tue, 27 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3900.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"openvpn on Debian Linux\");\n script_tag(name: \"insight\", value: \"OpenVPN is an application to securely tunnel IP networks over a\nsingle UDP or TCP port. It can be used to access remote sites, make\nsecure point-to-point connections, enhance wireless security, etc.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (jessie), these problems have been fixed\nin version 2.3.4-5+deb8u2.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.4.0-6+deb9u1.\n\nFor the testing distribution (buster), these problems have been fixed\nin version 2.4.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.3-1.\n\nWe recommend that you upgrade your openvpn packages.\");\n script_tag(name: \"summary\", value: \"Several issues were discovered in openvpn, a virtual private network\napplication.\n\nCVE-2017-7479 \nIt was discovered that openvpn did not properly handle the\nrollover of packet identifiers. This would allow an authenticated\nremote attacker to cause a denial-of-service via application\ncrash.\n\nCVE-2017-7508 \nGuido Vranken discovered that openvpn did not properly handle\nspecific malformed IPv6 packets. This would allow a remote\nattacker to cause a denial-of-service via application crash.\n\nCVE-2017-7520 \nGuido Vranken discovered that openvpn did not properly handle\nclients connecting to an HTTP proxy with NTLMv2\nauthentication. This would allow a remote attacker to cause a\ndenial-of-service via application crash, or potentially leak\nsensitive information like the user's proxy password.\n\nCVE-2017-7521 \nGuido Vranken discovered that openvpn did not properly handle\nsome x509 extensions. This would allow a remote attacker to cause\na denial-of-service via application crash.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.3.4-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.4.0-6+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.4.3-1\", rls_regex:\"DEB10.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-29T20:11:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520"], "description": "It was discovered that there were multiple out-of-bounds memory read\nvulnerabilities in openvpn, a popular virtual private network (VPN) daemon.\n\nIf clients used a HTTP proxy with NTLM authentication, a man-in-the-middle\nattacker could cause the client to crash or disclose at most 96 bytes of stack\nmemory, likely to contain the proxy password.", "modified": "2020-01-29T00:00:00", "published": "2018-01-29T00:00:00", "id": "OPENVAS:1361412562310890999", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890999", "type": "openvas", "title": "Debian LTS: Security Advisory for openvpn (DLA-999-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890999\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7520\");\n script_name(\"Debian LTS: Security Advisory for openvpn (DLA-999-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-29 00:00:00 +0100 (Mon, 29 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"openvpn on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in openvpn version\n2.2.1-8+deb7u5.\n\nWe recommend that you upgrade your openvpn packages.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there were multiple out-of-bounds memory read\nvulnerabilities in openvpn, a popular virtual private network (VPN) daemon.\n\nIf clients used a HTTP proxy with NTLM authentication, a man-in-the-middle\nattacker could cause the client to crash or disclose at most 96 bytes of stack\nmemory, likely to contain the proxy password.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openvpn\", ver:\"2.2.1-8+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2020-01-29T20:11:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7520"], "description": "It was discovered that there was an arbitrary code execution vulnerability in\nlibcamunrar, a library to add unrar support to the Clam anti-virus software.\n\nThis was caused by an integer overflow resulting in a negative value of the\n``DestPos`` variable, which allows the attacker to write out of bounds when\nsetting ``Mem[DestPos]``.", "modified": "2020-01-29T00:00:00", "published": "2018-02-05T00:00:00", "id": "OPENVAS:1361412562310891014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891014", "type": "openvas", "title": "Debian LTS: Security Advisory for libclamunrar (DLA-1014-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891014\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7520\");\n script_name(\"Debian LTS: Security Advisory for libclamunrar (DLA-1014-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-05 00:00:00 +0100 (Mon, 05 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00006.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"libclamunrar on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in libclamunrar version\n0.99-0+deb7u2.\n\nWe recommend that you upgrade your libclamunrar packages.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there was an arbitrary code execution vulnerability in\nlibcamunrar, a library to add unrar support to the Clam anti-virus software.\n\nThis was caused by an integer overflow resulting in a negative value of the\n``DestPos`` variable, which allows the attacker to write out of bounds when\nsetting ``Mem[DestPos]``.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libclamunrar7\", ver:\"0.99-0+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}], "thn": [{"lastseen": "2018-01-27T09:18:08", "bulletinFamily": "info", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "description": "[](<https://1.bp.blogspot.com/-wlCB_gy9hP8/WUteRwBYhII/AAAAAAAAtRY/OPsn2e0p7NkzXdQB_bXVBRf29pSkwdv9wCLcBGAs/s1600/openvpn-security-flaw.png>)\n\nA security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year. \n \nOpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet. \n \nThis year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software \u2013 one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green. \n \nThe audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit. \n \n\n\n### Researcher Used Fuzzer to find Bugs in OpenVPN\n\n \nResearcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the security audits. \n \nThree of the four flaws the researcher discovered are server-side, two of which cause servers to crash, while the remaining is a client-side bug that could allow an attacker to steal a password to gain access to the proxy. \n \nThe most critical vulnerability of all is **CVE-2017-7521**, which affects OpenVPN server-side and resides in extract_x509_extension() function which deals with SSL certificates. \n \nThe vulnerability could allow a remote authenticated attacker to craft and send a certificate that either crashes the OpenVPN service or triggers a double free that potentially lead to remote code execution within the server. \n \nVranken was not able to demonstrate the RCE bug but argued that the remote code execution could be achieved in theory. In a [report](<https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/>) published Wednesday, he had explained how one could achieve a remote memory leak because of the service's failure to check a particular return value. \n\n\n> \"If you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory,\" Vranken said in his report. \"So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved.\" \n\n> \"But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit.\"\n\nThe second vulnerability, **CVE-2017-7520**, resides in the way OpenVPN connects to a Windows NTLM version 2 proxy. \n \nA man-in-the-middle attacker between the OpenVPN client and the proxy server can either remotely crash the client or steal the user's password to the proxy from a memory leak. \n \nThe vulnerability could be triggered only under certain circumstances, like when the client connects to a proxy through NTLM version 2 authentication, or when the client specifies a username ending with a backslash. \n\n\n> \"If clients use a HTTP proxy with NTLM authentication (--http-proxy [|'auto'|'auto-nct'] ntlm2), a man-in-the-middle [MITM] attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory,\" the OpenVPN team explains. \n\n> \"The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected.\"\n\nOther two vulnerabilities (**CVE-2017-7508** and **CVE-2017-7522**) are remote server crashes which could trigger by sending maliciously-crafted IPv6 packets or malicious data post-authentication. \n \n\n\n### Patches for Servers and Clients Already Available\n\n \nVranken responsibly disclosed all the vulnerabilities he discovered to the OpenVPN team in May and June and the team has already patched the issues in its latest version of the VPN software. \n \nWhile there is no proof of any of the vulnerabilities had been publicly exploited, users are strongly advised to update their installations to [OpenVPN versions 2.4.3 or 2.3.17](<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243>) as soon as possible in order to be on the safer side. \n \nFor more in-depth technical details of all the vulnerabilities, you can head on to the report titled, _\"The OpenVPN Post-Audit Bug Bonanza,\" _[published](<https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/>) by Vranken on Wednesday.\n", "modified": "2017-06-22T08:19:38", "published": "2017-06-21T21:08:00", "id": "THN:C1BE07D6F243E68380FCD3A7F0CDD890", "href": "https://thehackernews.com/2017/06/openvpn-security-flaw_21.html", "type": "thn", "title": "Critical RCE Flaw Found in OpenVPN that Escaped Two Recent Security Audits", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2020-11-10T12:36:26", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7522"], "description": "**Issue Overview:**\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. ([CVE-2017-7508 __](<https://access.redhat.com/security/cve/CVE-2017-7508>))\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character. ([CVE-2017-7522 __](<https://access.redhat.com/security/cve/CVE-2017-7522>))\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). ([CVE-2017-7521 __](<https://access.redhat.com/security/cve/CVE-2017-7521>))\n\nOpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. ([CVE-2017-7520 __](<https://access.redhat.com/security/cve/CVE-2017-7520>))\n\n \n**Affected Packages:** \n\n\nopenvpn\n\n \n**Issue Correction:** \nRun _yum update openvpn_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openvpn-devel-2.4.3-1.19.amzn1.i686 \n openvpn-debuginfo-2.4.3-1.19.amzn1.i686 \n openvpn-2.4.3-1.19.amzn1.i686 \n \n src: \n openvpn-2.4.3-1.19.amzn1.src \n \n x86_64: \n openvpn-2.4.3-1.19.amzn1.x86_64 \n openvpn-debuginfo-2.4.3-1.19.amzn1.x86_64 \n openvpn-devel-2.4.3-1.19.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2017-06-27T17:47:00", "published": "2017-06-27T17:47:00", "id": "ALAS-2017-852", "href": "https://alas.aws.amazon.com/ALAS-2017-852.html", "title": "Important: openvpn", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "hackerone": [{"lastseen": "2019-10-23T18:01:37", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-7508", "CVE-2017-7520", "CVE-2017-7521", "CVE-2017-7522"], "description": "CVE-2017-7521 Remote server crashes/double-free/memory leaks in certificate processing\nCVE-2017-7520 Remote (including MITM) client crash, data leak\nCVE-2017-7508 Remote server crash (forced assertion failure)\nCVE-2017-7522 Crash mbed TLS/PolarSSL-based server\n(no cve) Remote/mitm Null-pointer dereference in establish_http_proxy_passthru()\n(no cve) Stack buffer overflow if long \u2013tls-cipher is given\n(no cve) Remote (including MITM) client stack buffer corruption\n\nhttps://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243\nhttps://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/", "modified": "2019-10-14T00:24:28", "published": "2017-06-23T10:58:19", "id": "H1:242579", "href": "https://hackerone.com/reports/242579", "type": "hackerone", "title": "The Internet: 4 severe remote + several minor OpenVPN vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508", "CVE-2017-7512", "CVE-2017-7520", "CVE-2017-7521"], "description": "Arch Linux Security Advisory ASA-201706-27\n==========================================\n\nSeverity: Critical\nDate : 2017-06-22\nCVE-ID : CVE-2017-7508 CVE-2017-7512 CVE-2017-7520 CVE-2017-7521\nPackage : openvpn\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-318\n\nSummary\n=======\n\nThe package openvpn before version 2.4.3-1 is vulnerable to multiple\nissues including information disclosure, arbitrary code execution and\ndenial of service.\n\nResolution\n==========\n\nUpgrade to 2.4.3-1.\n\n# pacman -Syu \"openvpn>=2.4.3-1\"\n\nThe problems have been fixed upstream in version 2.4.3.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-7508 (denial of service)\n\nA remote denial of service has been found in OpenVPN < 2.4.3, allowing\na remote client to crash a server by sending a malformed IPv6 packet.\nThe issue requires IPv6 and the --mssfix option to be enabled, and\nknowledge of the IPv6 networks used inside the VPN.\n\n- CVE-2017-7512 (denial of service)\n\nA remote denial of service has been found in OpenVPN < 2.4.3. A remote\nclient can exploit a memory leak in the server's certificate parsing\ncode to make it leak a few bytes of memory for each connection attempt,\ncausing it to run out of memory.\n\n- CVE-2017-7520 (information disclosure)\n\nA pre-authentication remote crash/information disclosure vulnerability\nhas been discovered in OpenVPN < 2.4.3. If the client uses a HTTP proxy\nwith NTLM authentication (i.e. \"--http-proxy <server> <port>\n[<authfile>|'auto'|'auto-nct'] ntlm2\") to connect to the OpenVPN\nserver, an attacker in position of man-in-the-middle between the client\nand the proxy can cause the client to crash or disclose at most 96\nbytes of stack memory. The disclosed stack memory is likely to contain\nthe proxy password.\n\n- CVE-2017-7521 (arbitrary code execution)\n\nA use-after-free has been found in OpenVPN < 2.4.3. The issue is caused\nby extract_x509_extension() not checking the return value of\nASN1_STRING_to_UTF8(), and using then freeing a memory allocation that\nhas already been freed if it failed. The issue requires the use of the\n--x509-alt-username option with an x509 extension, and is very unlikely\nto be triggered unless the remote peer can make the local process run\nout of memory.\n\nImpact\n======\n\nAn attacker in position of man-in-the-middle can access sensitive\ninformation from a client using a HTTP proxy with NTLM authentication\nto connect to the server. A remote attacker can crash a server and\npossibly execute arbitrary code on the affected host under specific\nconditions.\n\nReferences\n==========\n\nhttps://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243\nhttps://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/\nhttps://github.com/OpenVPN/openvpn/commit/c3f47077a7\nhttps://github.com/OpenVPN/openvpn/commit/2341f71619\nhttps://github.com/OpenVPN/openvpn/commit/7718c8984f\nhttps://github.com/OpenVPN/openvpn/commit/cb4e35ece4\nhttps://github.com/OpenVPN/openvpn/commit/2d032c7fcd\nhttps://security.archlinux.org/CVE-2017-7508\nhttps://security.archlinux.org/CVE-2017-7512\nhttps://security.archlinux.org/CVE-2017-7520\nhttps://security.archlinux.org/CVE-2017-7521", "modified": "2017-06-22T00:00:00", "published": "2017-06-22T00:00:00", "id": "ASA-201706-27", "href": "https://security.archlinux.org/ASA-201706-27", "type": "archlinux", "title": "[ASA-201706-27] openvpn: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508", "CVE-2017-7520", "CVE-2017-7521"], "description": "OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. ", "modified": "2017-06-23T20:54:35", "published": "2017-06-23T20:54:35", "id": "FEDORA:26D3C6076012", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: openvpn-2.4.3-1.fc25", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508", "CVE-2017-7520", "CVE-2017-7521"], "description": "OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. ", "modified": "2017-06-24T03:09:57", "published": "2017-06-24T03:09:57", "id": "FEDORA:4F7E46076A13", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: openvpn-2.4.3-1.fc26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508", "CVE-2017-7520", "CVE-2017-7521"], "description": "OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. ", "modified": "2017-06-30T20:51:03", "published": "2017-06-30T20:51:03", "id": "FEDORA:DF2946016154", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: openvpn-2.3.17-1.fc24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2017-06-26T18:15:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "description": "This update for openvpn fixes the following issues:\n\n - Some parts of the certificate-parsing code did not always clear all\n allocated memory. This would have allowed clients to leak a few bytes of\n memory for each connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947, CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have resulted in some\n buffers being free()d twice, and this issue could have potentially been\n triggered remotely by a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy could cause the\n client to crash or disclose at most 96 bytes of stack memory. The\n disclosed stack memory was likely to contain the proxy password. If the\n proxy password had not been reused, this was unlikely to compromise the\n security of the OpenVPN tunnel itself. Clients who did not use the\n --http-proxy option with ntlm2 authentication were not affected.\n [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a malformed IPv6\n packet. That issue could have been abused to remotely shutdown an\n openvpn server or client, if IPv6 and --mssfix were enabled and if the\n IPv6 networks used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2017-06-26T15:16:30", "published": "2017-06-26T15:16:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00031.html", "id": "OPENSUSE-SU-2017:1680-1", "title": "Security update for openvpn (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-21T20:15:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521"], "description": "This update for openvpn fixes the following issues:\n\n - Some parts of the certificate-parsing code did not always clear all\n allocated memory. This would have allowed clients to leak a few bytes of\n memory for each connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947, CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have resulted in some\n buffers being free()d twice, and this issue could have potentially been\n triggered remotely by a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy could cause the\n client to crash or disclose at most 96 bytes of stack memory. The\n disclosed stack memory was likely to contain the proxy password. If the\n proxy password had not been reused, this was unlikely to compromise the\n security of the OpenVPN tunnel itself. Clients who did not use the\n --http-proxy option with ntlm2 authentication were not affected.\n [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a malformed IPv6\n packet. That issue could have been abused to remotely shutdown an\n openvpn server or client, if IPv6 and --mssfix were enabled and if the\n IPv6 networks used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\n", "edition": 1, "modified": "2017-06-21T18:11:05", "published": "2017-06-21T18:11:05", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00027.html", "id": "SUSE-SU-2017:1635-1", "title": "Security update for openvpn (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-29T20:15:28", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7478", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479"], "description": "This update for openvpn-openssl1 fixes the following issues:\n\n - Some parts of the certificate-parsing code did not always clear all\n allocated memory. This would have allowed clients to leak a few bytes of\n memory for each connection attempt, thereby facilitating a (quite\n inefficient) DoS attack on the server. [bsc#1044947, CVE-2017-7521]\n\n - The ASN1 parsing code contained a bug that could have resulted in some\n buffers being free()d twice, and this issue could have potentially been\n triggered remotely by a VPN peer. [bsc#1044947, CVE-2017-7521]\n\n - If clients used a HTTP proxy with NTLM authentication, a\n man-in-the-middle attacker between client and proxy could cause the\n client to crash or disclose at most 96 bytes of stack memory. The\n disclosed stack memory was likely to contain the proxy password. If the\n proxy password had not been reused, this was unlikely to compromise the\n security of the OpenVPN tunnel itself. Clients who did not use the\n --http-proxy option with ntlm2 authentication were not affected.\n [bsc#1044947, CVE-2017-7520]\n\n - It was possible to trigger an assertion by sending a malformed IPv6\n packet. That issue could have been abused to remotely shutdown an\n openvpn server or client, if IPv6 and --mssfix were enabled and if the\n IPv6 networks used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\n - The installed sample configuration file was updated to comply to FIPS\n requirements. [bsc#988522]\n\n - Remedy large latencies on the openVPN server during authentication\n process. [bsc#959511]\n\n - Fix potential denial-of-service attacks found during independent audits.\n [bsc#1038713, bsc#1038709, CVE-2017-7478, bsc#1038711, CVE-2017-7479]\n\n", "edition": 1, "modified": "2017-06-29T18:12:39", "published": "2017-06-29T18:12:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00042.html", "id": "SUSE-SU-2017:1718-1", "title": "Security update for openvpn-openssl1 (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-06-21T20:15:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7508"], "description": "This update for openvpn fixes the following issues:\n\n - It was possible to trigger an assertion by sending a malformed IPv6\n packet. That issue could have been abused to remotely shutdown an\n openvpn server or client, if IPv6 and --mssfix were enabled and if the\n IPv6 networks used inside the VPN were known. [bsc#1044947,\n CVE-2017-7508]\n\n", "edition": 1, "modified": "2017-06-21T18:17:16", "published": "2017-06-21T18:17:16", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00028.html", "id": "SUSE-SU-2017:1642-1", "title": "Security update for openvpn (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2020-07-02T11:35:03", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2016-6329", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479", "CVE-2017-7512"], "description": "Karthikeyan Bhargavan and Ga\u00ebtan Leurent discovered that 64-bit block \nciphers are vulnerable to a birthday attack. A remote attacker could \npossibly use this issue to recover cleartext data. Fixing this issue \nrequires a configuration change to switch to a different cipher. This \nupdate adds a warning to the log file when a 64-bit block cipher is in use. \nThis issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and \nUbuntu 16.10. (CVE-2016-6329)\n\nIt was discovered that OpenVPN incorrectly handled rollover of packet ids. \nAn authenticated remote attacker could use this issue to cause OpenVPN to \ncrash, resulting in a denial of service. This issue only affected Ubuntu \n14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-7479)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain malformed \nIPv6 packets. A remote attacker could use this issue to cause OpenVPN to \ncrash, resulting in a denial of service. (CVE-2017-7508)\n\nGuido Vranken discovered that OpenVPN incorrectly handled memory. A remote \nattacker could use this issue to cause OpenVPN to crash, resulting in a \ndenial of service. (CVE-2017-7512)\n\nGuido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy \nwith NTLM authentication. A remote attacker could use this issue to cause \nOpenVPN clients to crash, resulting in a denial of service, or possibly \nexpose sensitive memory contents. (CVE-2017-7520)\n\nGuido Vranken discovered that OpenVPN incorrectly handled certain x509 \nextensions. A remote attacker could use this issue to cause OpenVPN to \ncrash, resulting in a denial of service. (CVE-2017-7521)", "edition": 5, "modified": "2017-06-22T00:00:00", "published": "2017-06-22T00:00:00", "id": "USN-3339-1", "href": "https://ubuntu.com/security/notices/USN-3339-1", "title": "OpenVPN vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:39:48", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520"], "description": "USN-3339-1 fixed several issues in OpenVPN. This update \nprovides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nGuido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy \nwith NTLM authentication. A remote attacker could use this issue to cause \nOpenVPN clients to crash, resulting in a denial of service, or possibly \nexpose sensitive memory contents. (CVE-2017-7520)", "edition": 6, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "USN-3339-2", "href": "https://ubuntu.com/security/notices/USN-3339-2", "title": "OpenVPN vulnerability", "type": "ubuntu", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:10:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3900-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nJune 27, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openvpn\nCVE ID : CVE-2017-7479 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521\nDebian Bug : 865480\n\nSeveral issues were discovered in openvpn, a virtual private network\napplication.\n\nCVE-2017-7479\n\n It was discovered that openvpn did not properly handle the\n rollover of packet identifiers. This would allow an authenticated\n remote attacker to cause a denial-of-service via application\n crash.\n\nCVE-2017-7508\n\n Guido Vranken discovered that openvpn did not properly handle\n specific malformed IPv6 packets. This would allow a remote\n attacker to cause a denial-of-service via application crash.\n\nCVE-2017-7520\n\n Guido Vranken discovered that openvpn did not properly handle\n clients connecting to an HTTP proxy with NTLMv2\n authentication. This would allow a remote attacker to cause a\n denial-of-service via application crash, or potentially leak\n sensitive information like the user's proxy password.\n\nCVE-2017-7521\n\n Guido Vranken discovered that openvpn did not properly handle\n some x509 extensions. This would allow a remote attacker to cause\n a denial-of-service via application crash.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 2.3.4-5+deb8u2.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.4.0-6+deb9u1.\n\nFor the testing distribution (buster), these problems have been fixed\nin version 2.4.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.3-1.\n\nWe recommend that you upgrade your openvpn packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 6, "modified": "2017-06-27T20:09:26", "published": "2017-06-27T20:09:26", "id": "DEBIAN:DSA-3900-1:0112E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00161.html", "title": "[SECURITY] [DSA 3900-1] openvpn security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-30T02:22:52", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520", "CVE-2017-7508", "CVE-2017-7521", "CVE-2017-7479"], "description": "Bernhard Schmidt uploaded new packages for openvpn which fixed the\nfollowing security problems:\n \nCVE-2017-7479\n \n It was discovered that openvpn did not properly handle the\n rollover of packet identifiers. This would allow an authenticated\n remote attacker to cause a denial-of-service via application\n crash. \n \nCVE-2017-7508\n \n Guido Vranken discovered that openvpn did not properly handle\n specific malformed IPv6 packets. This would allow a remote\n attacker to cause a denial-of-service via application crash.\n \nCVE-2017-7520\n \n Guido Vranken discovered that openvpn did not properly handle\n clients connecting to an HTTP proxy with NTLMv2\n authentication. This would allow a remote attacker to cause a \n denial-of-service via application crash, or potentially leak\n sensitive information like the user's proxy password.\n \nCVE-2017-7521\n \n Guido Vranken discovered that openvpn did not properly handle\n some x509 extensions. This would allow a remote attacker to cause\n a denial-of-service via application crash.\n \nFor the jessie-backports distribution the problems have been fixed in\nversion 2.4.0-6+deb9u1~bpo8+1.\n", "edition": 2, "modified": "2017-07-05T08:00:25", "published": "2017-07-05T08:00:25", "id": "DEBIAN:BSA-116:60A13", "href": "https://lists.debian.org/debian-backports-announce/2017/debian-backports-announce-201707/msg00001.html", "title": "[BSA-116] Security Update for openvpn", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-30T02:21:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520"], "description": "Package : libclamunrar\nVersion : 0.99-0+deb7u2\nCVE ID : CVE-2017-7520\nDebian Bug : #867223\n\nIt was discovered that there was an arbitrary code execution vulnerability in\nlibcamunrar, a library to add unrar support to the Clam anti-virus software.\n\nThis was caused by an integer overflow resulting in a negative value of the\n``DestPos`` variable, which allows the attacker to write out of bounds when\nsetting ``Mem[DestPos]``.\n\nFor Debian 7 "Wheezy", this issue has been fixed in libclamunrar version\n0.99-0+deb7u2.\n\nWe recommend that you upgrade your libclamunrar packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 3, "modified": "2017-07-05T21:31:14", "published": "2017-07-05T21:31:14", "id": "DEBIAN:DLA-1014-1:37017", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201707/msg00006.html", "title": "[SECURITY] [DLA 1014-1] libclamunrar security update", "type": "debian", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-05-30T02:23:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7520"], "description": "Package : openvpn\nVersion : 2.2.1-8+deb7u5\nCVE ID : CVE-2017-7520\nDebian Bug : #865480\n\nIt was discovered that there were multiple out-of-bounds memory read\nvulnerabilities in openvpn, a popular virtual private network (VPN) daemon.\n\nIf clients used a HTTP proxy with NTLM authentication, a man-in-the-middle\nattacker could cause the client to crash or disclose at most 96 bytes of stack\nmemory, likely to contain the proxy password.\n\nFor Debian 7 "Wheezy", this issue has been fixed in openvpn version\n2.2.1-8+deb7u5.\n\nWe recommend that you upgrade your openvpn packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb, Debian Project Leader\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 2, "modified": "2017-06-22T20:54:13", "published": "2017-06-22T20:54:13", "id": "DEBIAN:DLA-999-1:32E2F", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201706/msg00028.html", "title": "[SECURITY] [DLA 999-1] openvpn security update", "type": "debian", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:30", "bulletinFamily": "info", "cvelist": ["CVE-2017-7521"], "description": "OpenVPN has this week patched four vulnerabilities, including a critical remote code execution bug, a little more than a month after the results of [two security audits of the open source VPN software](<https://threatpost.com/openvpn-audits-yield-mixed-bag/125694/>) were published.\n\nThe patches were released after private disclosures in May and June by researcher Guido Vranken of the Netherlands. Vranken said the vulnerabilities were not turned up in either audit, which were a combination of manual source code reviews and automated scanning; Vranken said he exclusively used a fuzzer to find these bugs.\n\nThe most critical vulnerability, CVE-2017-7521, affects OpenVPN server side and could allow an authenticated hacker to run code on a compromised box.\n\n\u201c[CVE-2017-7521](<https://github.com/OpenVPN/openvpn/commit/cb4e35ece4a5b70b10ef9013be3bff263d82f32b>) can drain the server of available memory, which may lead to a \u2018double-free,\u2019 which is a way to corrupt the server\u2019s memory. In short, the worst-case scenario is that the user can execute their code on the server,\u201d Vranken said. \u201cThis is the worst vulnerability. They authenticate and then send crafted data, after which the server crashes. I\u2019d say this a worrisome issue for (commercial) VPN providers, so they definitely need to update as soon as possible.\u201d\n\nVranken was unaware whether any of the vulnerabilities had been publicly exploited.\n\n\u201cThis is difficult for me to say. But I\u2019d say that if I can do this in a couple of weeks of spare time out of sheer curiosity, heavily funded organizations with political objectives can do it too,\u201d he said.\n\nThree of the four vulnerabilities Vranken discovered were server-side with the other two causing [servers](<https://github.com/OpenVPN/openvpn/commit/c3f47077a7756de5929094569421a95aa66f2022>) to [crash](<https://github.com/OpenVPN/openvpn/commit/69162924de3600bfe8ae9708a1d6e3f4515ef995>). The client-side bug allows an attacker to steal a password to gain access to the proxy, Vranken said, adding that the three server flaws require the attacker be authenticated in order to exploit.\n\n\u201cThe crashes and the one that steals the password are not so difficult. A medium level of understanding of the C programming language and computer internals would be sufficient,\u201d Vranken said as to the ease of exploit. \u201cIt is also relatively easy to drain the server of memory. But to exploit that to achieve remote code execution, requires a high level of expertise.\u201d\n\nVranken provide in-depth technical explanations of each bug in a [report](<https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/>) published today. In the critical vulnerability, Vranken explains how he achieved a remote memory leak because of OpenVPN\u2019s failure to check a particular return value. From his report:\n\n\u201cIf you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory. So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved. But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit.\u201d\n\nThe [client-side](<https://github.com/OpenVPN/openvpn/commit/7718c8984f04b507c1885f363970e2124e3c6c77>) [bug](<https://github.com/OpenVPN/openvpn/commit/2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d>) also merits attention, Vranken said, adding that it is triggered only under particular certain circumstances, such as when the client connects to a proxy via NTLM version 2 authentication.\n\n\u201cAll the server issues require that the user is authenticated. This requires that the system administrator signs the certificate of a malicious user,\u201d Vranken said. \u201cFor individual users who run their private server this is unlikely to occur, but it is bad for VPN services that have automated this process for a large group of (untrusted) users.\u201d\n\nOne of the OpenVPN audits, carried out from December 2016 to February 2017, found a handful of low and medium issues but no major vulnerabilities. That audit lauded OpenVPN\u2019s overall cryptographic design, calling it solid with a caveat that some implementations could \u201cundermine a user\u2019s ability to deploy a secure VPN solution\u201d however. These bugs were patched in May.\n\nThe other audit was more of a security evaluation of the software running in OpenVPN 2.4.0; it found two bugs that were also patched in May.\n", "modified": "2017-06-21T15:14:36", "published": "2017-06-21T11:14:36", "id": "THREATPOST:738D3E12C5D9374D46CA1BEF0D15A79C", "href": "https://threatpost.com/openvpn-patches-critical-remote-code-execution-vulnerability/126425/", "type": "threatpost", "title": "OpenVPN Patches Critical Remote Code Execution Vulnerability", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-12-11T13:31:48", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000364", "CVE-2017-1000366", "CVE-2017-7502", "CVE-2017-7512"], "description": "Red Hat 3scale API Management Platform 2.0 is a platform for the management of access and traffic for web-based APIs across a variety of deployment options. \n\nSecurity Fix(es):\n\n* It was found that RH-3scale AMP would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. (CVE-2017-7512)\n\nThe underlying container image was also rebuilt to resolve other security issues. These were addressed via the following errata:\n* https://access.redhat.com/errata/RHSA-2017:1365\n* https://access.redhat.com/errata/RHSA-2017:1481\n* https://access.redhat.com/errata/RHSA-2017:1484\n\nRed Hat would like to thank Ryan Nauman (TruCode) for reporting the CVE-2017-7512 issue.", "modified": "2017-07-06T21:05:37", "published": "2017-07-06T21:04:26", "id": "RHSA-2017:1712", "href": "https://access.redhat.com/errata/RHSA-2017:1712", "type": "redhat", "title": "(RHSA-2017:1712) Important: Red Hat 3scale API Management Platform 2.0.0 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
