Researcher calls the fuzz on OpenVPN, uncovers crashy vulns OpenVPN has patched a bunch of security vulnerabilities that can be exploited to crash the service or, at a pinch, potentially gain remote-code execution. You should update your installations to versions 2.4.3 or 2.3.17 as soon as you can just to be on the safe side. The four holes were found by Guido Vranken, who took a …
Nope, doesn't have to succeed; it's during the processing of the initial certificate exchange that it happens. An actual RCE hasn't been demonstrated, just a crash, but of the sort that an RCE could probably be created from. Another potential RCE, as well as multiple information leakages, are available if the attacker actively manipulates data MITM (which is usually only possible if server verification is turned off).
There's a comparatively high number of OpenVPN installations that are just 1:1 connecting 2 computers to each other. Currently those typically use a shared key which has the advantage of shutting out most of the bugs mentioned here, but has the disadvantage of being able to decrypt all the data, once the key has leaked.
If there was a feature that would get around that, by using the shared key only for authentication, but using forward secrecy to negotiate its own key, we'd gain a lot more security for little more code.
What do you mean, "If there was a feature," just use TLS, don't use the pre-shared key method. It's explicitly recommended against in the documentation. TLS (with or without an additional PSK auth) already gives you perfect forward secrecy and has for over a decade.
Just stop being lazy and use certificates.
Yeah, but then I'd have used far more of the code, and those bugs would have been relevant.
TLS simply isn't a very good protocol security wise as it's to complex to be implemented sufficiently error free, and it has the outdated security model of CAs.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
