Submitted via IRC for TheMightyBuzzard
Two teams of experts have conducted audits of the open-source virtual private network (VPN) application OpenVPN, including its use of cryptography, and they identified only one high severity vulnerability
One audit, conducted between December 2016 and February 2017, was carried out by cryptography expert Dr. Matthew Green and funded by Private Internet Access (PIA). Green and his team looked for both memory-related vulnerabilities (e.g. buffer overflows and use-after-free) and cryptographic weaknesses.
A security review of OpenVPN was also conducted by Quarkslab over a 50-day period between February and April, with funding from the Open Source Technology Improvement Fund (OSTIF). This audit focused on OpenVPN for Windows and Linux, the OpenVPN GUI, and the TAP driver for Windows. Both audits targeted OpenVPN 2.4.
Quarkslab discovered one vulnerability that has been rated high severity. The flaw, tracked as CVE-2017-7478, is a denial-of-service (DoS) issue that allows an unauthenticated attacker to crash OpenVPN clients and servers. Researchers pointed out that the weakness can be easily exploited.
Quarkslab also identified a medium severity DoS vulnerability (CVE-2017-7479) that can only be exploited by an authenticated attacker. The other security bugs found by the company have been classified as low severity or informational issues.
The audit conducted by Dr. Green's Cryptography Engineering did not uncover any major flaws.
Source: http://www.securityweek.com/audit-finds-only-one-severe-vulnerability-openvpn
(Score: 0, Offtopic) by Anonymous Coward on Sunday May 14 2017, @03:28PM
It looks like a throwback to when Trump said "I like people who weren't captured." It was an innocent time in America's history when the media actually thought you had to quit after saying something controversial about a sacred cow.