Exploit summary

OpenVPN 2.3.0 and earlier are subject to a potential timing-based side-channel attack, which is made possible by a non-constant-time HMAC comparison function. Plaintext recovery is possible using a padding oracle attack, optimistically at a rate of about one character per 3 hours. OpenVPN with PolarSSL is vulnerable; the vulnerability of OpenSSL-based OpenVPN has not been verified or tested.

The ​fix for this attack makes the affected function constant-time and thus prevents this exploit.

Requirements

Successful attack requires that

• OpenVPN is running in UDP mode with a CBC mode cipher
• The attacker must be able to measure the processing time of the packets

The feasibility of attack is increased significantly if encryption and/or authentication is disabled.

Mitigating factors

OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.

Affected versions

OpenVPN 2.3.0 and earlier are vulnerable. A fix (​commit f375aa67cc) is included in OpenVPN 2.3.1 and later.