Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv3

CVE-2017-7522

Published: 27/06/2017 Updated: 07/07/2017
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 356
Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
Subscribe to Openvpn

Vulnerability Summary

OpenVPN versions prior to 2.4.3 and prior to 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

Vulnerable Product Search on Vulmon Subscribe to Product

openvpn openvpn 2.4.0

openvpn openvpn 2.4.1

openvpn openvpn

openvpn openvpn 2.4.2

Vendor Advisories

Debian CVElist Bug Report Logs: openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521
Debian Bug report logs - #865480 openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 Package: src:openvpn; Maintainer for src:openvpn is Bernhard Schmidt <berni@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 21 Jun 2017 20:00:02 UTC Severity: grave Tags: security, upstream Found in vers ...
Amazon Linux AMI: ALAS-2017-852
OpenVPN versions before 243 and before 2317 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet (CVE-2017-7508) OpenVPN versions before 243 and before 2317 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character (CVE-2017-7522) OpenVPN versi ...
Red Hat: CVE-2017-7522
OpenVPN versions before 243 and before 2317 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character ...
Arch Linux Issues:
A post-authentication remote DoS has been found in OpenVPN >= 24 and < 243, allowing a client to crash a server by sending a crafted certificate with an embedded NUL character The issue requires the OpenVPN server to be built against mbedtls and to use the --x509-track option ...

Recent Articles

Researcher calls the fuzz on OpenVPN, uncovers crashy vulns
The Register • Richard Chirgwin • 22 Jun 2017

Patches for servers and clients already out there – get updating just in case

OpenVPN has patched a bunch of security vulnerabilities that can be exploited to crash the service or, at a pinch, potentially gain remote-code execution. You should update your installations to versions 2.4.3 or 2.3.17 as soon as you can just to be on the safe side. The four holes were found by Guido Vranken, who took a fuzzer to the widely used VPN software, and worked independently of the OpenVPN team's big code audit this year. He published his findings on Wednesday. First in the list is CVE...

Read more...

References

CWE-476https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243http://www.securityfocus.com/bid/99230http://www.securitytracker.com/id/1038768https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865480https://nvd.nist.govhttps://alas.aws.amazon.com/ALAS-2017-852.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4671unauthorizedCVE-2024-4776CVE-2024-3407CVE-2024-26026CVE-2024-32888wirelessCVE-2024-4656template injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook