Vulnerabilities > CVE-2005-3409 - Remote Denial Of Service vulnerability in Openvpn and Openvpn Access Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote attackers to cause a denial of service (segmentation fault) by forcing the accept function call to return an error status, which leads to a null dereference in an exception handler.
Vulnerable Configurations
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-206.NASL description Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. Update : Packages are now available for Mandriva Linux 2006. last seen 2020-06-01 modified 2020-06-02 plugin id 20440 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20440 title Mandrake Linux Security Advisory : openvpn (MDKSA-2005:206-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:206. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20440); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-3393", "CVE-2005-3409"); script_xref(name:"MDKSA", value:"2005:206-1"); script_name(english:"Mandrake Linux Security Advisory : openvpn (MDKSA-2005:206-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. Update : Packages are now available for Mandriva Linux 2006." ); script_set_attribute( attribute:"solution", value:"Update the affected openvpn package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"openvpn-2.0.1-2.1.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200511-07.NASL description The remote host is affected by the vulnerability described in GLSA-200511-07 (OpenVPN: Multiple vulnerabilities) The OpenVPN client contains a format string bug in the handling of the foreign_option in options.c. Furthermore, when the OpenVPN server runs in TCP mode, it may dereference a NULL pointer under specific error conditions. Impact : A remote attacker could setup a malicious OpenVPN server and trick the user into connecting to it, potentially executing arbitrary code on the client last seen 2020-06-01 modified 2020-06-02 plugin id 20157 published 2005-11-07 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20157 title GLSA-200511-07 : OpenVPN: Multiple vulnerabilities NASL family Windows NASL id OPENVPN_2_0_4.NASL description According to its self-reported version number, the version of OpenVPN server installed on the remote Windows host is version 2.0.x prior to 2.0.4. It is, therefore, affected by a denial of service (DoS) vulnerability in its TCP/IP accept function component. An unauthenticated, remote attacker can exploit this issue, by forcing the accept function to return an error status which leads to a null dereference in an exception handler, to cause the application to stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 128773 published 2019-09-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128773 title OpenVPN Server 2.0.x < 2.0.4 Denial of Service Vulnerability NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3DE493310DEC422C93E5E4719E9869C5.NASL description James Yonan reports : If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. last seen 2020-06-01 modified 2020-06-02 plugin id 21416 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21416 title FreeBSD : openvpn -- potential denial-of-service on servers in TCP mode (3de49331-0dec-422c-93e5-e4719e9869c5) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-885.NASL description Several vulnerabilities have been discovered in OpenVPN, a free virtual private network daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3393 A format string vulnerability has been discovered that could allow arbitrary code to be executed on the client. - CVE-2005-3409 A NULL pointer dereferencing has been discovered that could be exploited to crash the service. last seen 2020-06-01 modified 2020-06-02 plugin id 22751 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22751 title Debian DSA-885-1 : openvpn - several vulnerabilities
References
- http://openvpn.net/changelog.html
- http://secunia.com/advisories/17376
- http://secunia.com/advisories/17447
- http://secunia.com/advisories/17452
- http://secunia.com/advisories/17480
- http://www.debian.org/security/2005/dsa-885
- http://www.gentoo.org/security/en/glsa/glsa-200511-07.xml
- http://www.novell.com/linux/security/advisories/2005_25_sr.html
- http://www.osvdb.org/20416
- http://www.securityfocus.com/archive/1/415487
- http://www.securityfocus.com/bid/15270