Exploit summary

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested.

Severity

OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.

The severity of this vulnerability can be considered low. Only if OpenVPN is configured to use a null-cipher, arbitrary plaintext can be injected, and there are serious consequences from this attack.

Affected versions

OpenVPN 2.3.0 and earlier are vulnerable. A fix (​commit f375aa67cc) is included in OpenVPN 2.3.1 and later.