Question about the vulnerability CVE-2021-3606

[pokix]

Hello dear OpenVPN admin,

I just found out the CVE-2021-3606 related on github here : https://github.com/OpenVPN/openvpn/comm ... 9f6e365b1e

From what I understand, it impacts OpenVPN on Windows side, that use OpenSSL rather than CryptoAPI. However, I can't find out if the vulnerability impacts the OpenVPN server or the client (or both)

Has anyone more information about this ?

Thanks in advance for your help

[openvpn_inc]

If I understand this correctly (and I may not, so please don't take this as authoritative) it could affect any openvpn on Windows: client, server or p2p. The code appears to be initializing crypto, and all openvpn instances would do that.

Best bet is to consider any openvpn on Windows vulnerable to this.

Hope this helps, regards, rob0

[pokix]

Hello ! Thank you for your answer. I think that you are totally right to consider everything as vulnerable.

[pokix]

So let's imagine that an attacker makes the OpenVPN client to load an openssl conf file of its creation : with lowered crypto level. How will the SSL transaction with the server happen ? The server has the original crypto configuration, and the client will have a different one. Will OpenVPN trigger some renegociation between them ?
Sorry for the may-be newbie question, I'm not really expert with OpenVPN

[openvpn_inc]

If the server won't accept the lowered crypto level, no worries. See --data-ciphers in the manual to learn about negotiation (or --ncp-ciphers in OpenVPN 2.4 or earlier.)

Regards, rob0