OpenVPN Advisory information — VNS3 is not impacted, no action required
The OpenVPN project recently released fixes for a number of recently discovered vulnerabilities. The discovered vulnerabilities are NOT applicable to any deployed versions of VNS3.
VNS3 uses OpenVPN, the Open Source and most used TLS VPN system in the world, to support the VNS3 encrypted overlay capabilities. This includes server side functionality inside VNS3, and the OpenVPN client is used as the TLS tunneling agent on customer hosts connecting securely to VNS3.
VNS3’s machine-to-machine networking model does not use the features or configurations which suffered the exploit, and the exploits cannot be triggered without those features/configurations in use. Fear not, there is no immediate customer remediation is required.
In an upcoming release we will update to the latest version of OpenVPN server technology to better protect future use-cases. As an FYI, here is the OpenVPN advisory information:
CVE-2017–7508: a Remotely-triggerable ASSERT() on malformed IPv6 packet bug that can be exploited to remotely shutdown an OpenVPN server or client. *This does not affect VNS3*, and only exploitable if the IPv6 networks used inside the VPN are known.
CVE-2017–7521: a remote-triggerable memory leak that does not free all allocated memory when using the –x509-alt-username option on OpenSSL. *This does not affect VNS3*
CVE-2017–7521: a potential double-free in –x509-alt-username. *This does not affect VNS3* and the bug can be triggered only on configurations that use the –x509-alt-username option with an x509 extension.
CVE-2017–7522: a post-authentication remote DoS when using the –x509-track option. This vulnerability resides in asn1_buf_to_c_string() returning a literal string not a mutable one, when the input ASN.1 string contains a NUL character. When the caller attempts to change this string, the client can crash a server by sending a certificate with an embedded NUL character. *This does not affect VNS3.*
See more on the vulnerabilities and the patches on Secure Week.
By: Margaret Valtierra
Originally published at cohesive.net on June 22, 2017.
