OpenVPN Support Forum

Hi,

The software I am using falls into the following two categories. I would greatly appreciate it if you could advise whether vulnerabilities(CVE-2023-36672、CVE-2023-35838、CVE-2023-36671、CVE-2023-36673) occur in the following software and the VPN connections they were used with:

OpenVPN Client (Community Edition: OpenVPN 2.4.6 (I602))
OpenVPN Connect (Provided by OpenVPN Inc.: 3.3.7 (2979))

I checked the OpenVPN vulnerability response page(https://openvpn.net/security-advisories/), but there was no information listed, so I couldn't make a judgment.

Hello,

A statement is expected to be made about this on the main website.

But in short... this has been known for forever and is part of the design of IP addressing and affects pretty much any VPN solution. It's just been pointed out in a security report that doesn't really change anything. There's nothing new and exciting about this. At best some mitigations could be made to try to ensure that traffic stays within the VPN tunnel context. But the gist of it is that if you use untrusted networks, malicious actions are possible. So don't use untrusted networks where possible. And even if you do, chances are fairly low that things get exploited. That doesn't mean we won't do anything about it, it just means that the risk is somewhat overstated and some mitigations will come in future releases of all VPN software to try to ensure that traffic stays within the VPN context.

Note that this doesn't affect just OpenVPN. It's pretty much any VPN solution out there. It's a basic part of the design of IP addressing and nothing shocking to be honest. You can check with independent security researchers about this topic.

I know that the OpenVPN community and the OpenVPN Inc. company are dedicated to providing secure solutions, so mitigations are expected to be developed in future releases. For the short term though, stay away from untrusted networks that are potentially malicious and you will be fine.

Kind regards,
Johan