OpenVPN Access server vulnerable to RCE flaw?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
pebam
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 22, 2017 12:36 pm

OpenVPN Access server vulnerable to RCE flaw?

Post by pebam » Thu Jun 22, 2017 12:41 pm

Hello,

Does anyone know which versions of OpenVPN-AS are vulnerable to the recent RCE flaw discovered by Guido Vranken? Patched version of OpenVPN have been announced here viewtopic.php?f=20&t=24346 but there's no mention that I can see of corresponding Access Server versions affected. Does anyone have any insight?

bcinthesky
OpenVpn Newbie
Posts: 1
Joined: Fri Jun 23, 2017 8:00 am

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by bcinthesky » Fri Jun 23, 2017 8:01 am

I would definitely like to know the same!

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by novaflash » Fri Jun 23, 2017 9:55 am

Well I don't have all the details but I do know that because Access Server uses TLS auth by default, it's on most servers next to impossible to exploit these particular issues. But there's work being done to fix the issues anyways in the core OpenVPN component that Access Server uses, assuming it's even vulnerable at all. I'm sure a new version and press release will be issued soon.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Asterman
OpenVpn Newbie
Posts: 2
Joined: Sun Jun 25, 2017 5:25 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by Asterman » Sun Jun 25, 2017 5:30 pm

I see the patched version for 2.3 has been released (2.3.17), but the debian packages, even on the Testing branch are still at 2.3.2. Are these no longer updated?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by novaflash » Sun Jun 25, 2017 7:12 pm

Well, repositories for the various operating systems aren't managed by OpenVPN. If you want the latest I suggest you grab it straight from the community openvpn repos directly.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Asterman
OpenVpn Newbie
Posts: 2
Joined: Sun Jun 25, 2017 5:25 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by Asterman » Mon Jun 26, 2017 1:58 am


pebam
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 22, 2017 12:36 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by pebam » Mon Jun 26, 2017 9:37 am

The latest build for Access Server available seems to be 2.1.6 https://openvpn.net/index.php/access-se ... -v200.html. The release notes mention fixes for CVE-2017-7478, CVE-2017-7479 and CVE-2017-5868. But there's no mention of CVE-2017-7521. So I'm still in the dark.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by novaflash » Mon Jun 26, 2017 2:20 pm

Asterman: that's open source version, not Access Server.

Pebam: those last issues are tougher to exploit on AS but still in the code, they'll be fixed soon I'm sure.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

pebam
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 22, 2017 12:36 pm

Re: OpenVPN Access server vulnerable to RCE flaw?

Post by pebam » Tue Jun 27, 2017 10:54 am

Hello all,
FYI, it looks like the new version with the fixes has been released:https://openvpn.net/index.php/access-se ... -v200.html

Thanks all!

Post Reply