OpenVPN and SoftEther VPN Vulnerabilities: November 2023 Update

By Riley ThompsonTechnology News

Vulnerabilities in OpenVPN and SoftEther VPN

On November 12, 2023, OpenVPN 2.5.7 was released. OpenVPN is a package for creating virtual private networks (VPNs), allowing for encrypted connections between two client machines or enabling a centralized VPN server to support multiple clients simultaneously. The new version addresses two vulnerabilities:

  • CVE-2023-46850 – A use-after-free memory issue could result in sending process memory contents to the other side of the connection, and potentially allow remote code execution. This problem occurs in configurations using TLS (launched without the --secret parameter).
  • CVE-2023-46849 – A division by zero error could allow remote attackers to trigger a server crash in configurations using the --fragment option.

Other Changes in OpenVPN 2.5.7

  • Added a warning when DATA_V1 packets are sent by the other side during attempts to connect an OpenVPN 2.6.x client to incompatible servers based on versions 2.4.0-2.4.4. (To resolve incompatibility, use the --disable-dco option.)
  • Removed the outdated OpenSSL 1.x method that used OpenSSL Engine for key loading, due to the author’s unwillingness to relicense the code with new linking exceptions.
  • Added a warning when a p2p NCP client connects to a p2mp server (a combination used to operate without cipher negotiation), as issues may arise when using version 2.6.x on both sides of the connection.
  • Added a warning that the --show-groups flag does not display all supported groups.
  • Removed handling of the exclude-domains argument in the --dns parameter, which appeared in the 2.6 branch but is not yet supported by backends.
  • Added a warning if an INFO management message is too large to be forwarded to the client.
  • For builds using MinGW and MSVC, added support for the CMake build system. Removed support for the old MSVC build system.

SoftEther VPN Vulnerabilities

Additionally, nine vulnerabilities were identified in the open-source VPN server SoftEther. One of these (CVE-2023-27395) is rated as critical. This buffer overflow vulnerability could allow remote code execution on the client side when connecting to a server controlled by an attacker. The vulnerability has so far only been addressed via a patch.

Two more vulnerabilities (CVE-2023-32634 and CVE-2023-27516) could allow unauthorized access to a VPN session by exploiting default credentials for the RPC server, which can be intercepted during a man-in-the-middle (MITM) attack. These have also been patched.

Vulnerabilities CVE-2023-31192 and CVE-2023-32275 (patch available) could lead to the leakage of confidential information in certain packets as a result of MITM attacks. The remaining four vulnerabilities (CVE-2023-22325, CVE-2023-23581, CVE-2023-22308, and CVE-2023-25774) can be used to cause denial of service, such as forcing a connection drop or client crash.

Recently, a fix for seven additional vulnerabilities was also accepted into the SoftEther VPN codebase, but details about these have not yet been disclosed.

Leave a Reply