Re: [Openvpn-users] * UPDATE * OpenVPN v2.4.3 and v2.3.17 releases

[Gert D. <ge...@gr...>]

Hi,

On Fri, Jun 23, 2017 at 08:05:40AM +1200, Jason Haar wrote:
> Does using tls-auth protect against these latest security issues? ie if you
> are running older versions but require tls-auth, then would that block
> attacks from hackers who don't have your tls-auth file?

There's a big bag of vulnerabilities in there.  Most of them are relevant
in special cases only, so "if you do not use a proxy with NLMv2 auth",
you're not vulnerable to that one (but if you do, tls-auth will not help
as it's failing on connection setup).

Actually, I just went through the logs, and tls-auth will not(!) protect
you in any of the cases.  

CVEs 2017-7520, 2017-7521 and 2017-7522 are somewhat niche cases - you 
need to use an NTLMv2 authenticating proxy, '--x509-username-field' or 
'--x509-track' (on the server) to be vulnerable.

CVE 2017-7508 affects anyone who is using IPv6 *inside* the tunnel, has
--mssfix enabled, and is not using a firewall on the outside that will
sanitize broken IPv6 packets (like BSD's pf(4) would do).  In that case,
someone from out there in the wild could send a malformed IPv6 packet
that makes the server ASSERT().

So: if you use tunneled IPv6 in your VPN, and bored kids can find
out which networks you use internally in the VPN and can send packets
there, upgrade.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             ge...@gr...
fax: +49-89-35655025                        ge...@ne...