Exploit summary

OpenVPN 2.3.0 and earlier running in UDP mode with a CBC mode cipher are subject to a chosen ciphertext attack due to non-constant-time HMAC comparison function. Plaintext recovery is possible using a using a padding oracle attack, optimistically at a rate of about one character per 3 hours. OpenVPN with PolarSSL is vulnerable; the vulnerability of OpenSSL-based OpenVPN has not been verified or tested.

Severity

OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.

The severity of this vulnerability can be considered low.

Affected versions

OpenVPN 2.3.0 and earlier are vulnerable. A fix (​commit f375aa67cc) is included in OpenVPN 2.3.1 and later.