Closed vulnerabilities in OpenVPN Access Server

Closed vulnerabilities in OpenVPN Access Server

The developers have discovered security gaps in the open source VPN software OpenVPN, specifically the OpenVPN Access Server, which attackers could have misused to intensify DDoS attacks, for example. Version 2.11.0 of the software seals the vulnerabilities. The severity classifications for the security gaps are still missing, but administrators are advised to update quickly.

In the OpenVPN Access Server prior to version 2.11.0, a weak random number generator was used to create session tokens for the users of the web portal (CVE-2022-33738). Also, since version 2.10.0, the installer created a human-readable log file that could contain the randomly generated admin password (CVE-2022-33737).

Access Server 2.10 and earlier versions could also have sent multiple packets in response to a reset packet from the client. The client does not respond to these packets, which could have led to a limited amplification attack, i.e. a DDoS increase, in which attackers provoke large amounts of data on the Internet line with just a few packets in order to actually remove a target system from the network (CVE-2021 -4234).

The developers have of course added new functions and other bug fixes. The OpenVPN project lists them in the release notes. The software now also supports Ubuntu 22.04 LTS (Jammy Jellyfish), uses scrypt for local password hashes and supports authentication based on the SAML standard.

The updated software packages for different distributions are available for download on the OpenVPN download page. Administrators should import them quickly so that the systems do not unintentionally become part of DDoS attacks.

Distance control from above: police drone transfers jostling trucks on the A2 Previous post Distance control from above: police drone transfers jostling trucks on the A2
Lockdown mode comment: Good thing Apple, move on!  But... Next post Lockdown mode comment: Good thing Apple, move on! But…