Multiple vulnerabilities in OpenVPN

Published: 2023-11-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-46850 CVE-2023-46849
CWE-ID	CWE-416 CWE-369
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	OpenVPN for Windows Client/Desktop applications / Software for system administration
Vendor	OpenVPN

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU82951

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-46850

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to openvpn incorrectly uses a send buffer after it has been freed. Under certain circumstances the freed memory can be sent to the client peer, resulting in information disclosure. The vulnerability affects TLS configuration.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenVPN for Windows: 2.6.0 - 2.6.6

CPE2.3

cpe:2.3:a:openvpn_net:openvpn:2.6.6:*:*:*:*:*:*:*

External links

https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Division by zero

EUVDB-ID: #VU82952

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-46849

CWE-ID: CWE-369 - Divide By Zero