Re: [IPCop-devel] openVPN vulnerabilities

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi there,

On Thu, 22 Jun 2017, Administrator wrote:

> The version of openvpn in the current install of ipcop seems to be 2.3.6.
>
> Does that need patching as listed here? https://community.openvpn.net/openvpn/
> wiki/VulnerabilitiesFixedInOpenVPN243

I guess probably not, unless perhaps you're connecting to a Windows
NTLM V2 proxy:

8<----------------------------------------------------------------------
CVE-2017-7520

"Clients who do not use the --http-proxy option with ntlm2
authentication are not affected."
8<----------------------------------------------------------------------
CVE-2017-7521

"The problem can only be triggered for configurations that use the
--x509-alt-username option with an x509 extension (i.e. the option
parameter starts with 'ext:').  Extensive testing by Guido Vranken
gives confidence that this function is very unlikely to fail in
real-world usage (using subjectAltName or issuerAltName extensions)
for other reasons than memory exhaustion."
8<----------------------------------------------------------------------

In any case, as a matter of course I'd always restrict the IPs that
can connect to any VPN (and/or SSH) servers, as there are so many
bots Out There trying everything in the dictionary and then some.

--

73,
Ged.

Re: [IPCop-devel] openVPN vulnerabilities

Linux firewall distribution geared towards home and SOHO users.

Re: [IPCop-devel] openVPN vulnerabilities