Changes between Version 2 and Version 3 of SecurityAnnouncement-f375aa67cc


Ignore:
Timestamp:
04/10/13 12:29:23 (11 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SecurityAnnouncement-f375aa67cc

    v2 v3  
    11= Exploit summary =
    22
    3 OpenVPN 2.3.0 and earlier running in UDP mode with a CBC mode cipher are subject to a chosen ciphertext attack due to non-constant-time HMAC comparison function. Plaintext recovery is possible using a using a padding oracle attack, optimistically at a rate of about one character per 3 hours. OpenVPN with PolarSSL is vulnerable; the vulnerability of OpenSSL-based OpenVPN has not been verified or tested.
     3OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested.
    44
    55= Severity =
     
    77OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.
    88
    9 The severity of this vulnerability can be considered low.
     9The severity of this vulnerability can be considered low. Only if OpenVPN is configured to use a null-cipher, arbitrary plaintext can be injected, and there are serious consequences from this attack.
    1010
    1111= Affected versions =