Bird_banner_small4
OpenVPN read_key Stack Based Buffer Overflow
TSL ID TSL20170929-02
CVE ID(s) CVE-2017-12166
Severity Critical
Description

An stack-based buffer overflow vulnerability has been reported in OpenVPN. The vulnerability is due to a lack of bounds check on the length of key cipher and hmac lengths provided by the client when the deprecated key_method 1 is used for a peer to peer connection.

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a target peer configured to use key_method 1. Successful exploitation could result in the execution of arbitrary code in the security context of root or SYSTEM.

The vendor, OpenVPN, has released the following advisory regarding this vulnerability:

https://community.openvpn.net/openvpn/wiki/CVE-2017-12166

Affected Products
  • OpenVPN Project OpenVPN 2.3.x prior to 2.3.18
  • OpenVPN Project OpenVPN 2.4.x prior to 2.4.4
CVSS Score Base 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is COMPLETE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 6.9 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15492.html
Related Threats