Are you a user of OpenVPN? The software patched four vulnerabilities just this week. One of the flaws is quite severe – a remote code execution bug that could allow an authenticated attacker to run code on a compromised box. The vulnerability is identified as CVE-2017-7521.
CVE-2017-7521 Technical Details
The flaw affects OpenVPN server side, and as explained by Guido Vranken, the flaw can cause “Remote server crashes/double-free/memory leaks in certificate processing”. In addition:
CVE-2017-7521 can drain the server of available memory, which may lead to a ‘double-free,’ which is a way to corrupt the server’s memory. In short, the worst-case scenario is that the user can execute their code on the server. This is the worst vulnerability. They authenticate and then send crafted data, after which the server crashes. I’d say this a worrisome issue for (commercial) VPN providers, so they definitely need to update as soon as possible.
The Other Flaws (CVE-2017-7520, CVE-2017-7522, CVE-2017-7508)
The patches for all four flaws, CVE-2017-7521 inclusive, were issued after they were disclosed privately by Vranken who used a fuzzer to find the bugs.
Were the flaws exploited in public attacks? The researcher says he doesn’t know. “This is difficult for me to say. But I’d say that if I can do this in a couple of weeks of spare time out of sheer curiosity, heavily funded organizations with political objectives can do it too,” he explained.
Three of the flaws the researcher came across were server-side causing servers to crash. The client-side flaw enables hackers to steal passwords to obtain access to the proxy. The server-side flaws require the hacker to be authenticated.
All the server issues require that the user is authenticated. This requires that the system administrator signs the certificate of a malicious user. For individual users who run their private server this is unlikely to occur, but it is bad for VPN services that have automated this process for a large group of (untrusted) users.
You can view the full report here.