CVE-2017-12166: out of bounds write in key-method 1

OpenVPN 2.4.4 and 2.3.18 resolve an out-of-bounds write vulnerability, that was discovered by Guide Vranken.

This vulnerability is only exposed when explicitly selecting key-method 1 in the config (or on the command line). This option is only available for backward compatibility with OpenVPN 1.x, and has no longer been the default since the release of OpenVPN 2.0 in 2005. It will be removed all together in OpenVPN 2.5.

Commit message:

Fix bounds check in read_key()

The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow.

Fix this by moving the input validation to before the writes.

Note that 'key-method 1' has been replaced by 'key method 2' as the default
in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
and marked for removal in 2.5. This should limit the amount of users
impacted by this issue.

CVE: 2017-12166
Signed-off-by: Steffan Karger <>
Acked-by: Gert Doering <>
Acked-by: David Sommerseth <>
Message-Id: <>
Signed-off-by: David Sommerseth <>

Mail thread reporting the vulnerability:

Fixes in tree:

commit 3b1a61e9fb27213c46f76312f4065816bee8ed01 (master)

commit c7e259160b28e94e4ea7f0ef767f8134283af255 (release/2.4)

commit fce34375295151f548a26c2d0eb30141e427c81a (release/2.3)

commit a9f5c744d6b09f2495ca48d2c926efd3a4b981e6 (release/2.2)

commit c560f95e7038daa3a1b5a08b69b85fb68d4eeef3 (release/2.1)

Last modified 4 years ago Last modified on 09/22/17 08:51:26