Version 1 (modified by 11 years ago) (diff) | ,
---|
Exploit summary
OpenVPN 2.3.0 and earlier are subject to a potential timing-based side-channel attack, which is made possible by a non-constant-time HMAC comparison function. Plaintext recovery is possible using a padding oracle attack, optimistically at a rate of about one character per 3 hours. OpenVPN with PolarSSL is vulnerable; the vulnerability of OpenSSL-based OpenVPN has not been verified or tested.
The fix for this attack makes the affected function constant-time and thus prevents this exploit.
Requirements
Successful attack requires that
- OpenVPN is running in UDP mode with a CBC mode cipher
- The attacker must be able to measure the processing time of the packets
The feasibility of attack is increased significantly if encryption and/or authentication is disabled.
Mitigating factors
OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.
Affected versions
OpenVPN 2.3.0 and earlier are vulnerable. A fix (commit f375aa67cc) is included in OpenVPN 2.3.1 and later.