openvpn -- 2.6.0...2.6.6 --fragment option division by zero crash, and TLS data leak

2023-08-2900:00:00

vuxml.freebsd.org

openvpn

version 2.6.0-2.6.6

fragment option

division by zero

crash

tls

data leak

cve-2023-46849

cve-2023-46850

niccolo belli

wipocket

github #400

github #417

unix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

77.0%

JSON

The OpenVPN community project team reports:

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore “–fragment” configuration in some circumstances, leading to a division by zero when “–fragment” is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.

Reported by Niccolo Belli and WIPocket (Github #400, #417).

CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchopenvpn= 2.6.0UNKNOWN
FreeBSDanynoarchopenvpn< 2.6.7_1UNKNOWN
FreeBSDanynoarchopenvpn-devel< g20231109,1UNKNOWN