The release has been prepared OpenVPN 2.6.7, a virtual private networking package that enables encrypted connections between two client machines or provides a centralized VPN server for multiple clients. The new version fixes two vulnerabilities:
- CVE-2023-46850 - A use-after-free access to a memory region could result in the contents of the process's memory being sent to the other side of the connection, and potentially leading to remote code execution. The problem occurs in configurations that use TLS (run without the --secret option).
- CVE-2023-46849 A divide-by-zero situation may lead to a remote access server crash in configurations that use the --fragment option.
Of the non-security changes in OpenVPN 2.6.7:
- Added a warning when the other side sends DATA_V1 packets when attempting to connect to the client. OpenVPN 2.6.x to incompatible servers based on versions 2.4.0-2.4.4 (to eliminate the incompatibility, you can use the option "--disable-dco").
- Removed an obsolete method tied to OpenSSL 1.x that uses the OpenSSL Engine to load keys. The reason cited is the author's reluctance to relicense the code with new linking exceptions.
- Added warning when connecting a p2p NCP client to server p2mp (a combination used to work without cipher negotiation) as there are problems when using versions 2.6.x on both sides of the connection.
- Added a warning that the "--show-groups" flag does not show all supported groups.
- In the ββdnsβ parameter, processing of the βexclude-domainsβ argument, which appeared in branch 2.6 but is not yet supported by backends, has been removed.
- Added a warning to be shown if the INFO control message is too large to be forwarded to the client.
- For builds using MinGW and MSVC, support for the CMake build system has been added. Removed support for the old MSVC build system.
Additionally, it is worth noting the identification of 9 vulnerabilities in the open VPN- SoftEther server. One issue (CVE-2023-27395) was assigned a critical severity levelβit is caused by a buffer overflow and can lead to remote code execution on the client side when attempting to connect to an attacker-controlled server. The vulnerability was fixed in the June update of SoftEther VPN 4.42 Build 9798 RTM. Two more vulnerabilities (CVE-2023-32634 and CVE-2023-27516) allow unauthorized access to a VPN session during a man-in-the-middle attack by using default credentials for the RPC server. These vulnerabilities have been patched.
Vulnerabilities CVE-2023-31192 and CVE-2023-32275 (patch) can lead to leakage of confidential information in some packages as a result of MITM attacks. The remaining 4 vulnerabilities (CVE-2023-22325, CVE-2023-23581, CVE-2023-22308 and CVE-2023-25774) can be used to cause a denial of service, such as forcing a connection or crashing a client. The SoftEther VPN codebase also recently received fixes for 7 vulnerabilities, details of which are not yet available.
Source: opennet.ru
