OpenVPN 2.5.7 Release Fixes Two Vulnerabilities
OpenVPN has released version 2.5.7, a package for creating virtual private networks that enables encrypted connections between client machines or the operation of a centralized VPN server serving multiple customers. This update specifically addresses two vulnerabilities:
- CVE-2023-46850: This vulnerability occurs in configurations using Transport Layer Security (TLS) and can result in the leaking of process memory and potential remote code execution. The issue arises when the field of memory is accessed after it has been released (USE-AFTER-FREE) and the OpenVPN 2.5.7 is launched without the parameter “–Secret”.
- CVE-2023-46849: This vulnerability can trigger a zero division that leads to the remote initiation of emergency completion of the access server in configurations using the option “–fragment”.
In addition, OpenVPN 2.5.7 includes various security-related improvements, unrelated to the above vulnerabilities:
- A warning has been added when sending Data_v1 packages from an OpenVPN 2.6.X client to incompatible servers based on versions 2.4.0-2.4.4. To resolve this compatibility issue, the “-Disable-DCO” option can be used.
- An outdated method using Opensl Engine to download keys has been addressed, as the author found it cumbersome to translocate the code with new exceptions to the binding.
- A warning has been added when connecting the client P2P NCP to the P2MP server, as versions 2.6.x on both sides of the connection have encountered issues when used without coordination of ciphers.
- A warning now informs that the flag “Show-Groups” doesn’t display all supported groups.
- The processing of the “Exclude-Domains” argument in the “–dns” parameter has been
/Reports, release notes, official announcements.