Hi,
The software I am using falls into the following two categories. I would greatly appreciate it if you could advise whether vulnerabilities(CVE-2023-36672、CVE-2023-35838、CVE-2023-36671、CVE-2023-36673) occur in the following software and the VPN connections they were used with:
OpenVPN Client (Community Edition: OpenVPN 2.4.6 (I602))
OpenVPN Connect (Provided by OpenVPN Inc.: 3.3.7 (2979))
I checked the OpenVPN vulnerability response page(https://openvpn.net/security-advisories/), but there was no information listed, so I couldn't make a judgment.
Are the vulnerabilities CVE-2023-36672 and others present in VPN connections using the OpenVPN Client(/Connect)?
-
SmallField
- OpenVpn Newbie
- Posts: 7
- Joined: Tue Jan 25, 2022 10:39 am
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: Are the vulnerabilities CVE-2023-36672 and others present in VPN connections using the OpenVPN Client(/Connect)?
Hello,
A statement is expected to be made about this on the main website.
But in short... this has been known for forever and is part of the design of IP addressing and affects pretty much any VPN solution. It's just been pointed out in a security report that doesn't really change anything. There's nothing new and exciting about this. At best some mitigations could be made to try to ensure that traffic stays within the VPN tunnel context. But the gist of it is that if you use untrusted networks, malicious actions are possible. So don't use untrusted networks where possible. And even if you do, chances are fairly low that things get exploited. That doesn't mean we won't do anything about it, it just means that the risk is somewhat overstated and some mitigations will come in future releases of all VPN software to try to ensure that traffic stays within the VPN context.
Note that this doesn't affect just OpenVPN. It's pretty much any VPN solution out there. It's a basic part of the design of IP addressing and nothing shocking to be honest. You can check with independent security researchers about this topic.
I know that the OpenVPN community and the OpenVPN Inc. company are dedicated to providing secure solutions, so mitigations are expected to be developed in future releases. For the short term though, stay away from untrusted networks that are potentially malicious and you will be fine.
Kind regards,
Johan
A statement is expected to be made about this on the main website.
But in short... this has been known for forever and is part of the design of IP addressing and affects pretty much any VPN solution. It's just been pointed out in a security report that doesn't really change anything. There's nothing new and exciting about this. At best some mitigations could be made to try to ensure that traffic stays within the VPN tunnel context. But the gist of it is that if you use untrusted networks, malicious actions are possible. So don't use untrusted networks where possible. And even if you do, chances are fairly low that things get exploited. That doesn't mean we won't do anything about it, it just means that the risk is somewhat overstated and some mitigations will come in future releases of all VPN software to try to ensure that traffic stays within the VPN context.
Note that this doesn't affect just OpenVPN. It's pretty much any VPN solution out there. It's a basic part of the design of IP addressing and nothing shocking to be honest. You can check with independent security researchers about this topic.
I know that the OpenVPN community and the OpenVPN Inc. company are dedicated to providing secure solutions, so mitigations are expected to be developed in future releases. For the short term though, stay away from untrusted networks that are potentially malicious and you will be fine.
Kind regards,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support