Vulnerabilities > CVE-2017-7479 - Reachable Assertion vulnerability in Openvpn
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-F426ACF49D.NASL description Security fix for two remote DoS issues (CVE-2017-7478, CVE-2017-7479) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-05-24 plugin id 100363 published 2017-05-24 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100363 title Fedora 24 : openvpn (2017-f426acf49d) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-f426acf49d. # include("compat.inc"); if (description) { script_id(100363); script_version("3.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-7478", "CVE-2017-7479"); script_xref(name:"FEDORA", value:"2017-f426acf49d"); script_name(english:"Fedora 24 : openvpn (2017-f426acf49d)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for two remote DoS issues (CVE-2017-7478, CVE-2017-7479) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f426acf49d" ); script_set_attribute( attribute:"solution", value:"Update the affected openvpn package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"openvpn-2.3.16-1.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-89D98779EC.NASL description This update brings in the latest OpenVPN v2.4.2 release. This release contains fixes for two authenticated remote DoS vulnerabilities (CVE-2017-7478 and CVE-2017-7479). For more information see the upstream [security announcement](http://community.openvpn.net/openvpn/wiki/QuarkslabAndCr yptographyEngineerAudits). This build also switches back to OpenSSL 1.0, using compat-openssl10 and compat-openssl10-pkcs11-helper. This is temporarily until full OpenSSL 1.1 support have arrived OpenVPN. This should also resolve a lot of issues with features missing or not working properly with mbed TLS. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101679 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101679 title Fedora 26 : openvpn (2017-89d98779ec) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-89d98779ec. # include("compat.inc"); if (description) { script_id(101679); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-7478", "CVE-2017-7479"); script_xref(name:"FEDORA", value:"2017-89d98779ec"); script_name(english:"Fedora 26 : openvpn (2017-89d98779ec)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update brings in the latest OpenVPN v2.4.2 release. This release contains fixes for two authenticated remote DoS vulnerabilities (CVE-2017-7478 and CVE-2017-7479). For more information see the upstream [security announcement](http://community.openvpn.net/openvpn/wiki/QuarkslabAndCr yptographyEngineerAudits). This build also switches back to OpenSSL 1.0, using compat-openssl10 and compat-openssl10-pkcs11-helper. This is temporarily until full OpenSSL 1.1 support have arrived OpenVPN. This should also resolve a lot of issues with features missing or not working properly with mbed TLS. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-89d98779ec" ); script_set_attribute( attribute:"solution", value:"Update the affected openvpn package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"openvpn-2.4.2-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3900.NASL description Several issues were discovered in openvpn, a virtual private network application. - CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers. This would allow an authenticated remote attacker to cause a denial-of-service via application crash. - CVE-2017-7508 Guido Vranken discovered that openvpn did not properly handle specific malformed IPv6 packets. This would allow a remote attacker to cause a denial-of-service via application crash. - CVE-2017-7520 Guido Vranken discovered that openvpn did not properly handle clients connecting to an HTTP proxy with NTLMv2 authentication. This would allow a remote attacker to cause a denial-of-service via application crash, or potentially leak sensitive information like the user last seen 2020-06-01 modified 2020-06-02 plugin id 101067 published 2017-06-28 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101067 title Debian DSA-3900-1 : openvpn - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3900. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(101067); script_version("3.11"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2017-7479", "CVE-2017-7508", "CVE-2017-7520", "CVE-2017-7521"); script_xref(name:"DSA", value:"3900"); script_name(english:"Debian DSA-3900-1 : openvpn - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several issues were discovered in openvpn, a virtual private network application. - CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers. This would allow an authenticated remote attacker to cause a denial-of-service via application crash. - CVE-2017-7508 Guido Vranken discovered that openvpn did not properly handle specific malformed IPv6 packets. This would allow a remote attacker to cause a denial-of-service via application crash. - CVE-2017-7520 Guido Vranken discovered that openvpn did not properly handle clients connecting to an HTTP proxy with NTLMv2 authentication. This would allow a remote attacker to cause a denial-of-service via application crash, or potentially leak sensitive information like the user's proxy password. - CVE-2017-7521 Guido Vranken discovered that openvpn did not properly handle some x509 extensions. This would allow a remote attacker to cause a denial-of-service via application crash." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865480" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-7479" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-7508" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-7520" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-7521" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/openvpn" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/openvpn" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-3900" ); script_set_attribute( attribute:"solution", value: "Upgrade the openvpn packages. For the oldstable distribution (jessie), these problems have been fixed in version 2.3.4-5+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 2.4.0-6+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"openvpn", reference:"2.3.4-5+deb8u2")) flag++; if (deb_check(release:"9.0", prefix:"openvpn", reference:"2.4.0-6+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3339-1.NASL description Karthikeyan Bhargavan and Gaetan Leurent discovered that 64-bit block ciphers are vulnerable to a birthday attack. A remote attacker could possibly use this issue to recover cleartext data. Fixing this issue requires a configuration change to switch to a different cipher. This update adds a warning to the log file when a 64-bit block cipher is in use. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6329) It was discovered that OpenVPN incorrectly handled rollover of packet ids. An authenticated remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-7479) Guido Vranken discovered that OpenVPN incorrectly handled certain malformed IPv6 packets. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7508) Guido Vranken discovered that OpenVPN incorrectly handled memory. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7512) Guido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy with NTLM authentication. A remote attacker could use this issue to cause OpenVPN clients to crash, resulting in a denial of service, or possibly expose sensitive memory contents. (CVE-2017-7520) Guido Vranken discovered that OpenVPN incorrectly handled certain x509 extensions. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7521). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101024 published 2017-06-23 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101024 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : openvpn vulnerabilities (USN-3339-1) (SWEET32) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3339-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(101024); script_version("3.15"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2016-6329", "CVE-2017-7479", "CVE-2017-7508", "CVE-2017-7512", "CVE-2017-7520", "CVE-2017-7521"); script_xref(name:"USN", value:"3339-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : openvpn vulnerabilities (USN-3339-1) (SWEET32)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Karthikeyan Bhargavan and Gaetan Leurent discovered that 64-bit block ciphers are vulnerable to a birthday attack. A remote attacker could possibly use this issue to recover cleartext data. Fixing this issue requires a configuration change to switch to a different cipher. This update adds a warning to the log file when a 64-bit block cipher is in use. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6329) It was discovered that OpenVPN incorrectly handled rollover of packet ids. An authenticated remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-7479) Guido Vranken discovered that OpenVPN incorrectly handled certain malformed IPv6 packets. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7508) Guido Vranken discovered that OpenVPN incorrectly handled memory. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7512) Guido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy with NTLM authentication. A remote attacker could use this issue to cause OpenVPN clients to crash, resulting in a denial of service, or possibly expose sensitive memory contents. (CVE-2017-7520) Guido Vranken discovered that OpenVPN incorrectly handled certain x509 extensions. A remote attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service. (CVE-2017-7521). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3339-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected openvpn package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/23"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"openvpn", pkgver:"2.3.2-7ubuntu3.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"openvpn", pkgver:"2.3.10-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"openvpn", pkgver:"2.3.11-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"openvpn", pkgver:"2.4.0-4ubuntu1.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1622-1.NASL description This update for openvpn fixes the following issues : - CVE-2016-6329: Show which ciphers should no longer be used in openvpn --show-ciphers (bsc#995374) - CVE-2017-7478: openvpn: Authenticated user can DoS server by using a big payload in P_CONTROL (bsc#1038709) - CVE-2017-7479: openvpn: Denial of Service due to Exhaustion of Packet-ID counter (bsc#1038711) - Hardening measures found by internal audit (bsc#1038713) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100951 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100951 title SUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:1622-1) (SWEET32) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:1622-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(100951); script_version("3.9"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2016-6329", "CVE-2017-7478", "CVE-2017-7479"); script_name(english:"SUSE SLED12 / SLES12 Security Update : openvpn (SUSE-SU-2017:1622-1) (SWEET32)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openvpn fixes the following issues : - CVE-2016-6329: Show which ciphers should no longer be used in openvpn --show-ciphers (bsc#995374) - CVE-2017-7478: openvpn: Authenticated user can DoS server by using a big payload in P_CONTROL (bsc#1038709) - CVE-2017-7479: openvpn: Denial of Service due to Exhaustion of Packet-ID counter (bsc#1038711) - Hardening measures found by internal audit (bsc#1038713) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1038709" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1038711" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1038713" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=995374" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-6329/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7478/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7479/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20171622-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?14b29af3" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-998=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-998=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-998=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openvpn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openvpn-auth-pam-plugin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openvpn-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openvpn-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/21"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openvpn-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openvpn-auth-pam-plugin-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openvpn-auth-pam-plugin-debuginfo-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openvpn-debuginfo-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openvpn-debugsource-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openvpn-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openvpn-debuginfo-2.3.8-16.14.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openvpn-debugsource-2.3.8-16.14.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvpn"); }NASL family Windows NASL id OPENVPN_2_4_2_CVE_2017_7479.NASL description According to its self-reported version number, the version of OpenVPN installed on the remote Windows host is prior to 2.3.15 or 2.4.x prior to 2.4.2. It is, therefore, affected by a denial of service vulnerability due to the unchecked rolling over of its packet-ID counter. An unauthenticated, remote attacker can exploit this issue, by sending a large number of packets, to cause the application to stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 125257 published 2019-05-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125257 title OpenVPN < 2.3.15 / 2.4.x < 2.4.2 Denial of Service Vulnerability (Windows) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125257); script_version("1.4"); script_cvs_date("Date: 2019/10/30 13:24:47"); script_cve_id("CVE-2017-7479"); script_name(english:"OpenVPN < 2.3.15 / 2.4.x < 2.4.2 Denial of Service Vulnerability (Windows)"); script_summary(english:"Checks the version of OpenVPN."); script_set_attribute(attribute:"synopsis", value:"An application on the remote Windows host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the version of OpenVPN installed on the remote Windows host is prior to 2.3.15 or 2.4.x prior to 2.4.2. It is, therefore, affected by a denial of service vulnerability due to the unchecked rolling over of its packet-ID counter. An unauthenticated, remote attacker can exploit this issue, by sending a large number of packets, to cause the application to stop responding."); # https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c722f7c"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenVPN 2.3.15 / 2.4.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7479"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openvpn:openvpn"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("openvpn_server_installed.nbin"); script_require_keys("installed_sw/OpenVPN Server"); exit(0); } include('vcf.inc'); app_info = vcf::get_app_info(app:'OpenVPN Server'); constraints = [ {'fixed_version': '2.3.15'}, {'min_version': '2.4.0', 'fixed_version':'2.4.2'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2838-1.NASL description This update for openvpn fixes the following security issues : - CVE-2017-12166: OpenVPN was vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. (bsc#1060877). - CVE-2016-6329: Now show which ciphers should no longer be used in openvpn --show-ciphers to avoid the SWEET32 attack (bsc#995374) - CVE-2017-7478: OpenVPN was vulnerable to unauthenticated Denial of Service of server via received large control packet. (bsc#1038709) - CVE-2017-7479: OpenVPN was vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker. (bsc#1038711) - Some other hardening fixes have also been applied (bsc#1038713) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104141 published 2017-10-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104141 title SUSE SLES11 Security Update : openvpn (SUSE-SU-2017:2838-1) (SWEET32) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3284-1.NASL description It was discovered that OpenVPN improperly triggered an assert when receiving an oversized control packet in some situations. A remote attacker could use this to cause a denial of service (server or client crash). (CVE-2017-7478) It was discovered that OpenVPN improperly triggered an assert when packet ids rolled over. An authenticated remote attacker could use this to cause a denial of service (application crash). (CVE-2017-7479). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100155 published 2017-05-12 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100155 title Ubuntu 17.04 : openvpn vulnerabilities (USN-3284-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-944.NASL description Denial of Service due to Exhaustion of Packet-ID counter An authenticated client can cause the server last seen 2020-03-17 modified 2017-05-17 plugin id 100226 published 2017-05-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100226 title Debian DLA-944-1 : openvpn security update NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_04CC7BD2368611E7AA64080027EF73EC.NASL description Samuli Seppanen reports : OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities. Fixes to them have been backported to v2.3.15. An authenticated client can do the last seen 2020-06-01 modified 2020-06-02 plugin id 100140 published 2017-05-12 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100140 title FreeBSD : OpenVPN -- two remote denial-of-service vulnerabilities (04cc7bd2-3686-11e7-aa64-080027ef73ec) NASL family Fedora Local Security Checks NASL id FEDORA_2017-0D0F18140A.NASL description This update brings in the latest OpenVPN v2.4.2 release. This release contains fixes for two authenticated remote DoS vulnerabilities (CVE-2017-7478 and CVE-2017-7479). For more information see the upstream [security announcement](http://community.openvpn.net/openvpn/wiki/QuarkslabAndCr yptographyEngineerAudits). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-05-16 plugin id 100183 published 2017-05-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100183 title Fedora 25 : openvpn (2017-0d0f18140a) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-717.NASL description This update for openvpn fixes the following issues : - CVE-2016-6329: Show which ciphers should no longer be used in openvpn --show-ciphers (bsc#995374) - CVE-2017-7478: openvpn: Authenticated user can DoS server by using a big payload in P_CONTROL (bsc#1038709) - CVE-2017-7479: openvpn: Denial of Service due to Exhaustion of Packet-ID counter (bsc#1038711) - Hardening measures found by internal audit (bsc#1038713) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-06-30 plugin id 101128 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101128 title openSUSE Security Update : openvpn (openSUSE-2017-717) (SWEET32)