ProHoster > Блог > labaran intanet > Rashin lafiya a cikin OpenVPN da kuma SoftEther VPN

Rashin lafiya a cikin OpenVPN da kuma SoftEther VPN

An shirya fitar da ita OpenVPN 2.6.7, wani fakitin hanyar sadarwa mai zaman kansa na kama-da-wane wanda ke ba da damar haɗin da aka ɓoye tsakanin na'urorin abokin ciniki guda biyu ko kuma samar da sabar VPN mai tsakiya ga abokan ciniki da yawa. Sabuwar sigar tana gyara rauni guda biyu:

  • CVE-2023-46850 - Yin amfani-bayan kyauta zuwa yankin ƙwaƙwalwar ajiya na iya haifar da aika abubuwan da ke cikin ƙwaƙwalwar ajiyar tsarin zuwa wancan gefen haɗin, kuma mai yuwuwar haifar da aiwatar da lambar nesa. Matsalar tana faruwa a cikin saitunan da ke amfani da TLS (gudu ba tare da zaɓin sirri ba).
  • CVE-2023-46849 Halin raba-da-sifili na iya haifar da ɓarnar uwar garken shiga nesa a cikin saitunan da ke amfani da zaɓin --gutu.

Daga cikin canje-canjen da ba na tsaro ba a cikin OpenVPN 2.6.7:

  • An ƙara gargaɗi lokacin da ɗayan ɓangaren ya aika fakitin DATA_V1 lokacin ƙoƙarin haɗawa da abokin ciniki. OpenVPN 2.6.x zuwa sabar da ba su dace ba bisa ga sigar 2.4.0-2.4.4 (don kawar da rashin jituwa, zaku iya amfani da zaɓin "--disable-dco").
  • An cire tsohuwar hanyar da aka ɗaure da OpenSSL 1.x wacce ke amfani da Injin OpenSSL don loda maɓalli. Dalilin da aka ambata shi ne rashin son marubucin don sake lasisin lambar tare da sabbin keɓancewar haɗin kai.
  • An ƙara gargaɗi lokacin haɗa abokin ciniki na p2p NCP zuwa uwar garken p2mp (haɗin da ake amfani da shi don aiki ba tare da tattaunawar sirri ba) saboda akwai matsaloli yayin amfani da sigar 2.6.x a ɓangarorin biyu na haɗin.
  • An ƙara gargadin cewa tutar "--show-groups" ba ta nuna duk ƙungiyoyin da ke da tallafi ba.
  • A cikin ma'aunin "-dns", an cire sarrafa gardamar "ban da-domains", wanda ya bayyana a cikin reshe na 2.6 amma har yanzu bai sami goyan bayan goyan baya ba.
  • Ƙara faɗakarwa don nunawa idan saƙon sarrafa INFO ya yi girma don a tura shi ga abokin ciniki.
  • Don ginawa ta amfani da MinGW da MSVC, an ƙara tallafi ga tsarin ginin CMake. Cire tallafi don tsohon tsarin ginin MSVC.

Bugu da ƙari, ya kamata a lura da gano raunin 9 a cikin buɗewa VPN- Sabar SoftEther. An sanya wata matsala (CVE-2023-27395) a matsayin matakin tsanani mai tsanani—tana faruwa ne sakamakon kwararar ma'ajiyar bayanai kuma tana iya haifar da aiwatar da lambar nesa a ɓangaren abokin ciniki lokacin ƙoƙarin haɗawa da sabar da mai hari ke sarrafawa. An gyara raunin a cikin sabuntawar watan Yuni na SoftEther VPN 4.42 Build 9798 RTM. Wasu raunin biyu (CVE-2023-32634 da CVE-2023-27516) suna ba da damar shiga zaman VPN ba tare da izini ba yayin harin mutum-a-tsakiyar ta hanyar amfani da takaddun shaida na asali don sabar RPC. An gyara waɗannan raunin.

Lalacewar CVE-2023-31192 da CVE-2023-32275 (patch) na iya haifar da zubewar bayanan sirri a wasu fakitin sakamakon harin MITM. Sauran lahani na 4 (CVE-2023-22325, CVE-2023-23581, CVE-2023-22308 da CVE-2023-25774) ana iya amfani da su don haifar da ƙin sabis, kamar tilasta haɗi ko lalata abokin ciniki. The SoftEther VPN codebase shima kwanan nan ya sami gyare-gyare don raunin 7, cikakkun bayanai waɗanda har yanzu ba a samu ba.

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster