Components Affected
Overview
Multiple vulnerabilities were identified in OpenVPN. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and sensitive information disclosure on the targeted system.
Description
Two vulnerabilities have been discovered in OpenVPN. The first involves a division by zero crash, which is less easily exploitable on Access Server due to its default configuration not including the — fragment option and enhanced control channel security. However, under specific circumstances, exploitation is still possible. The second vulnerability is a more serious use after free memory security issue, posing a risk of leaking sensitive information from memory. This vulnerability arises from OpenVPN incorrectly utilizing a freed send buffer, potentially disclosing information to the client peer. The TLS configuration is affected by this vulnerability.
Impact
Solution/ Workarounds
Apply fixes issued by the vendor:
Reference
Disclaimer
The information provided herein is on an “as is” basis, without warranty of any kind.