Page 1 of 1
Question about the vulnerability CVE-2021-3606
Posted: Tue Jun 29, 2021 1:35 pm
by pokix
Hello dear OpenVPN admin,
I just found out the CVE-2021-3606 related on github here :
https://github.com/OpenVPN/openvpn/comm ... 9f6e365b1e
From what I understand, it impacts OpenVPN on Windows side, that use OpenSSL rather than CryptoAPI. However, I can't find out if the vulnerability impacts the OpenVPN server or the client (or both)
Has anyone more information about this ?
Thanks in advance for your help
Re: Question about the vulnerability CVE-2021-3606
Posted: Tue Jun 29, 2021 3:09 pm
by openvpn_inc
If I understand this correctly (and I may not, so please don't take this as authoritative) it could affect any openvpn on Windows: client, server or p2p. The code appears to be initializing crypto, and all openvpn instances would do that.
Best bet is to consider any openvpn on Windows vulnerable to this.
Hope this helps, regards, rob0
Re: Question about the vulnerability CVE-2021-3606
Posted: Tue Jun 29, 2021 3:11 pm
by pokix
Hello ! Thank you for your answer. I think that you are totally right to consider everything as vulnerable.
Re: Question about the vulnerability CVE-2021-3606
Posted: Tue Jun 29, 2021 3:17 pm
by pokix
So let's imagine that an attacker makes the OpenVPN client to load an openssl conf file of its creation : with lowered crypto level. How will the SSL transaction with the server happen ? The server has the original crypto configuration, and the client will have a different one. Will OpenVPN trigger some renegociation between them ?
Sorry for the may-be newbie question, I'm not really expert with OpenVPN
Re: Question about the vulnerability CVE-2021-3606
Posted: Tue Jun 29, 2021 3:49 pm
by openvpn_inc
If the server won't accept the lowered crypto level, no worries. See --data-ciphers in the manual to learn about negotiation (or --ncp-ciphers in OpenVPN 2.4 or earlier.)
Regards, rob0