wiki:VulnerabilitiesFixedInOpenSSL1.0.1i

Version 1 (modified by Samuli Seppänen, 10 years ago) (diff)

--

Background

On 6th August 2014 the OpenSSL project made several new releases that fixed several security vulnerabilities of moderate severity or less. OpenVPN Windows installers bundle OpenSSL 1.0.1, which makes this OpenSSL release (1.0.1i) relevant for OpenVPN.

List of vulnerabilities

Vulnerability nameIDAffects OpenVPN?
Information leak in pretty printing functionsCVE-2014-3508Possibly[1]
Crash with SRP ciphersuite in Server Hello messageCVE-2014-5139No. OpenVPN does not use SRP
Race condition in ssl_parse_serverhello_tlsextCVE-2014-3509No
Double Free when processing DTLS packetsCVE-2014-3505No. OpenVPN does not use DTLS
DTLS memory exhaustionCVE-2014-3506No. OpenVPN does not use DTLS
DTLS memory leak from zero-length fragmentsCVE-2014-3507No. OpenVPN does not use DTLS
OpenSSL DTLS anonymous EC(DH) denial of serviceCVE-2014-3510No. OpenVPN does not use DTLS
OpenSSL TLS protocol downgrade attackCVE-2014-3511No. OpenVPN already defaults to TLS 1.0
SRP buffer overrunCVE-2014-3512No. OpenVPN does not use SRP

[1] This one triggers direct vulnerability in OpenVPN. Stack information is not leaked to the peer. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if it's the leaked information is after a NUL-byte, it's probably not exported). Such a plugin/script could then leak the information to the attacker.