OpenVPN Access server vulnerable to RCE flaw?
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Jun 22, 2017 12:36 pm
OpenVPN Access server vulnerable to RCE flaw?
Hello,
Does anyone know which versions of OpenVPN-AS are vulnerable to the recent RCE flaw discovered by Guido Vranken? Patched version of OpenVPN have been announced here viewtopic.php?f=20&t=24346 but there's no mention that I can see of corresponding Access Server versions affected. Does anyone have any insight?
Does anyone know which versions of OpenVPN-AS are vulnerable to the recent RCE flaw discovered by Guido Vranken? Patched version of OpenVPN have been announced here viewtopic.php?f=20&t=24346 but there's no mention that I can see of corresponding Access Server versions affected. Does anyone have any insight?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Jun 23, 2017 8:00 am
Re: OpenVPN Access server vulnerable to RCE flaw?
I would definitely like to know the same!
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
Well I don't have all the details but I do know that because Access Server uses TLS auth by default, it's on most servers next to impossible to exploit these particular issues. But there's work being done to fix the issues anyways in the core OpenVPN component that Access Server uses, assuming it's even vulnerable at all. I'm sure a new version and press release will be issued soon.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jun 25, 2017 5:25 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
I see the patched version for 2.3 has been released (2.3.17), but the debian packages, even on the Testing branch are still at 2.3.2. Are these no longer updated?
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
Well, repositories for the various operating systems aren't managed by OpenVPN. If you want the latest I suggest you grab it straight from the community openvpn repos directly.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jun 25, 2017 5:25 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Jun 22, 2017 12:36 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
The latest build for Access Server available seems to be 2.1.6 https://openvpn.net/index.php/access-se ... -v200.html. The release notes mention fixes for CVE-2017-7478, CVE-2017-7479 and CVE-2017-5868. But there's no mention of CVE-2017-7521. So I'm still in the dark.
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
Asterman: that's open source version, not Access Server.
Pebam: those last issues are tougher to exploit on AS but still in the code, they'll be fixed soon I'm sure.
Pebam: those last issues are tougher to exploit on AS but still in the code, they'll be fixed soon I'm sure.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Jun 22, 2017 12:36 pm
Re: OpenVPN Access server vulnerable to RCE flaw?
Hello all,
FYI, it looks like the new version with the fixes has been released:https://openvpn.net/index.php/access-se ... -v200.html
Thanks all!
FYI, it looks like the new version with the fixes has been released:https://openvpn.net/index.php/access-se ... -v200.html
Thanks all!