Published: 27/06/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4 | Impact Score: 4.9 | Exploitability Score: 4.9

CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2

VMScore: 356

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:P

OpenVPN versions prior to 2.4.3 and prior to 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn 2.4.2
openvpn openvpn

Debian Bug report logs - #865480 openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 Package: src:openvpn; Maintainer for src:openvpn is Bernhard Schmidt <berni@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 21 Jun 2017 20:00:02 UTC Severity: grave Tags: security, upstream Found in vers ...

Several security issues were fixed in OpenVPN ...

Several issues were discovered in openvpn, a virtual private network application CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers This would allow an authenticated remote attacker to cause a denial-of-service via application crash CVE-2017-7508 Guido Vranken discovered t ...

OpenVPN versions before 243 and before 2317 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet (CVE-2017-7508) OpenVPN versions before 243 and before 2317 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character (CVE-2017-7522) OpenVPN versi ...

OpenVPN versions before 243 and before 2317 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker ...

A pre-authentication remote crash/information disclosure vulnerability has been discovered in OpenVPN < 243 If the client uses a HTTP proxy with NTLM authentication (ie "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2") to connect to the OpenVPN server, an attacker in position of man-in-the-middle between ...

Researcher calls the fuzz on OpenVPN, uncovers crashy vulns

The Register • Richard Chirgwin • 22 Jun 2017

Patches for servers and clients already out there – get updating just in case

OpenVPN has patched a bunch of security vulnerabilities that can be exploited to crash the service or, at a pinch, potentially gain remote-code execution. You should update your installations to versions 2.4.3 or 2.3.17 as soon as you can just to be on the safe side. The four holes were found by Guido Vranken, who took a fuzzer to the widely used VPN software, and worked independently of the OpenVPN team's big code audit this year. He published his findings on Wednesday. First in the list is CVE...

CVE-2017-7520

Vulnerability Summary

Vendor Advisories

Recent Articles

References

Vulmon Search

About

Products

Connect