Vulnerabilities > CVE-2017-12166 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openvpn
debian
CWE-787
critical
nessus

Summary

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

Vulnerable Configurations

Part Description Count
Application
Openvpn
301
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-5882331351.NASL
    descriptionMaintenance release with several minor upstream bugfixes and a security fix related to legacy configurations deploying the deprecated `key-method 1` configuration option ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017- 12166)). From this update of, OpenVPN will use the lz4 compression library from Fedora instead of the upstream bundled library. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105881
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105881
    titleFedora 27 : openvpn (2017-5882331351)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-5882331351.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105881);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-12166");
      script_xref(name:"FEDORA", value:"2017-5882331351");
      script_xref(name:"IAVA", value:"2017-A-0285");
    
      script_name(english:"Fedora 27 : openvpn (2017-5882331351)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Maintenance release with several minor upstream bugfixes and a
    security fix related to legacy configurations deploying the deprecated
    `key-method 1` configuration option
    ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017-
    12166)). From this update of, OpenVPN will use the lz4 compression
    library from Fedora instead of the upstream bundled library.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5882331351"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://community.openvpn.net/openvpn/wiki/CVE-2017-12166"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openvpn package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openvpn");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"openvpn-2.4.4-1.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-700915E34F.NASL
    descriptionMaintenance release with several minor upstream bugfixes and a security fix related to legacy configurations deploying the deprecated `key-method 1` configuration option ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017- 12166)). From this update of, OpenVPN will use the lz4 compression library from Fedora instead of the upstream bundled library. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-10-03
    plugin id103611
    published2017-10-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103611
    titleFedora 26 : openvpn (2017-700915e34f)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-700915e34f.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103611);
      script_version("3.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-12166");
      script_xref(name:"FEDORA", value:"2017-700915e34f");
      script_xref(name:"IAVA", value:"2017-A-0285");
    
      script_name(english:"Fedora 26 : openvpn (2017-700915e34f)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Maintenance release with several minor upstream bugfixes and a
    security fix related to legacy configurations deploying the deprecated
    `key-method 1` configuration option
    ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017-
    12166)). From this update of, OpenVPN will use the lz4 compression
    library from Fedora instead of the upstream bundled library.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-700915e34f"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://community.openvpn.net/openvpn/wiki/CVE-2017-12166"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openvpn package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openvpn");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"openvpn-2.4.4-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2838-1.NASL
    descriptionThis update for openvpn fixes the following security issues : - CVE-2017-12166: OpenVPN was vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. (bsc#1060877). - CVE-2016-6329: Now show which ciphers should no longer be used in openvpn --show-ciphers to avoid the SWEET32 attack (bsc#995374) - CVE-2017-7478: OpenVPN was vulnerable to unauthenticated Denial of Service of server via received large control packet. (bsc#1038709) - CVE-2017-7479: OpenVPN was vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker. (bsc#1038711) - Some other hardening fixes have also been applied (bsc#1038713) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104141
    published2017-10-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104141
    titleSUSE SLES11 Security Update : openvpn (SUSE-SU-2017:2838-1) (SWEET32)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-920.NASL
    descriptionOpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. (CVE-2017-12166)
    last seen2020-06-01
    modified2020-06-02
    plugin id104394
    published2017-11-06
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104394
    titleAmazon Linux AMI : openvpn (ALAS-2017-920)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2839-1.NASL
    descriptionThis update for openvpn fixes the following issues : - CVE-2017-12166: Lack of bound check in read_key in old legacy key handling before using values could be used for a remote buffer overflow (bsc#1060877). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104142
    published2017-10-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104142
    titleSUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:2839-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1202.NASL
    descriptionThis update for openvpn fixes the following issues : - CVE-2017-12166: Lack of bound check in read_key in old legacy key handling before using values could be used for a remote buffer overflow (bsc#1060877). This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-10-30
    plugin id104238
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104238
    titleopenSUSE Security Update : openvpn (openSUSE-2017-1202)
  • NASL familyWindows
    NASL idOPENVPN_2_3_18_AND_2_4_4_WIN.NASL
    descriptionAccording to its self-reported version number, the version of OpenVPN installed on the remote host is affected by an error related to a weakness in the
    last seen2020-06-01
    modified2020-06-02
    plugin id103701
    published2017-10-06
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103701
    titleOpenVPN 2.x < 2.3. 18/ 2.4.x < 2.4.4 Buffer Overflow Vulnerability w/ key-method 1
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3DD6CCF4A3C611E7A52E0800279F2FF8.NASL
    descriptionSteffan Karger reports : The bounds check in read_key() was performed after using the value, instead of before. If
    last seen2020-06-01
    modified2020-06-02
    plugin id103523
    published2017-09-28
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103523
    titleFreeBSD : OpenVPN -- out-of-bounds write in legacy key-method 1 (3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8)