wiki:VulnerabilitiesFixedInOpenSSL1.0.1i

Version 3 (modified by Samuli Seppänen, 10 years ago) (diff)

--

Background

On 6th August 2014 the OpenSSL project released 1.0.1i that fixed several security vulnerabilities of moderate severity or less. OpenVPN Windows installers bundle OpenSSL 1.0.1, which makes this OpenSSL release relevant for OpenVPN.

List of vulnerabilities

Vulnerability nameIDAffects OpenVPN?
Information leak in pretty printing functionsCVE-2014-3508Possibly[1].
Crash with SRP ciphersuite in Server Hello messageCVE-2014-5139No. OpenVPN does not use SRP.
Race condition in ssl_parse_serverhello_tlsextCVE-2014-3509No.
Double Free when processing DTLS packetsCVE-2014-3505No. OpenVPN does not use DTLS.
DTLS memory exhaustionCVE-2014-3506No. OpenVPN does not use DTLS.
DTLS memory leak from zero-length fragmentsCVE-2014-3507No. OpenVPN does not use DTLS.
OpenSSL DTLS anonymous EC(DH) denial of serviceCVE-2014-3510No. OpenVPN does not use DTLS.
OpenSSL TLS protocol downgrade attackCVE-2014-3511No. OpenVPN already defaults to TLS 1.0.
SRP buffer overrunCVE-2014-3512No. OpenVPN does not use SRP.

[1] This one triggers direct vulnerability in OpenVPN. Stack information is not leaked to the peer. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if it's the leaked information is after a NUL-byte, it's probably not exported). Such a plugin/script could then leak the information to the attacker.