OpenVPN has recently released version 2.6.13 of its package for creating virtual private networks. This latest version enables users to establish encrypted connections between two client machines or operate a centralized VPN server for multiple clients concurrently.
The new release addresses a security issue that could potentially lead to a buffer overflow on the server side of OpenVPN. This vulnerability occurs when the server receives a login or password from a client that exceeds the user_pass_len value. As of now, a CVE identifier for this vulnerability has not been assigned, and it is unclear how it could be exploited.
Some of the safety improvements included in this update are:
- The client now sends IV_Platform_ver to the server, which contains information about the operating system release obtained from the Uname() function. This allows servers to collect statistics on the OS versions used by clients.
- On Linux systems, the SystemD-Osk-Password process now features the parameter “–timeout=0” to disable the 90-second timeout for secret configuration.
- Memory leaks have been fixed on FreeBSD systems.
- When launched with the option “-ass-nocache,” the authentication parameters for proxies are now removed after they have been used.
- The Windows Client now utilizes the CryptProtectMemory() function for secure storage of passwords and tokens in memory. Additionally, a new API has been implemented to retrieve the version of the DCO-Win driver.
/Reports, release notes, official announcements.