| | 1 | = Exploit summary = |
| | 2 | |
| | 3 | OpenVPN 2.3.0 and earlier are subject to a potential timing-based side-channel attack, which is made possible by a non-constant-time HMAC comparison function. Plaintext recovery is possible using a padding oracle attack, optimistically at a rate of about one character per 3 hours. OpenVPN with PolarSSL is vulnerable; the vulnerability of OpenSSL-based OpenVPN has not been verified or tested. |
| | 4 | |
| | 5 | The [https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee fix] for this attack makes the affected function constant-time and thus prevents this exploit. |
| | 6 | |
| | 7 | = Requirements = |
| | 8 | |
| | 9 | Successful attack requires that |
| | 10 | |
| | 11 | * OpenVPN is running in UDP mode with a CBC mode cipher |
| | 12 | * The attacker must be able to measure the processing time of the packets |
| | 13 | |
| | 14 | The feasibility of attack is increased significantly if encryption and/or authentication is disabled. |
| | 15 | |
| | 16 | = Mitigating factors = |
| | 17 | |
| | 18 | OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective. |
| | 19 | |
| | 20 | = Affected versions = |
| | 21 | |
| | 22 | OpenVPN 2.3.0 and earlier are vulnerable. A fix ([https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee commit f375aa67cc]) is included in OpenVPN 2.3.1 and later. |
