| Title | Audit Finds Only One Severe Vulnerability in OpenVPN | |
| Date | Sunday May 14 2017, @08:31AM | |
| Author | cmn32480 | |
| Topic | ||
| from the happy-news dept. | ||
Submitted via IRC for TheMightyBuzzard
Two teams of experts have conducted audits of the open-source virtual private network (VPN) application OpenVPN, including its use of cryptography, and they identified only one high severity vulnerability
One audit, conducted between December 2016 and February 2017, was carried out by cryptography expert Dr. Matthew Green and funded by Private Internet Access (PIA). Green and his team looked for both memory-related vulnerabilities (e.g. buffer overflows and use-after-free) and cryptographic weaknesses.
A security review of OpenVPN was also conducted by Quarkslab over a 50-day period between February and April, with funding from the Open Source Technology Improvement Fund (OSTIF). This audit focused on OpenVPN for Windows and Linux, the OpenVPN GUI, and the TAP driver for Windows. Both audits targeted OpenVPN 2.4.
Quarkslab discovered one vulnerability that has been rated high severity. The flaw, tracked as CVE-2017-7478, is a denial-of-service (DoS) issue that allows an unauthenticated attacker to crash OpenVPN clients and servers. Researchers pointed out that the weakness can be easily exploited.
Quarkslab also identified a medium severity DoS vulnerability (CVE-2017-7479) that can only be exploited by an authenticated attacker. The other security bugs found by the company have been classified as low severity or informational issues.
The audit conducted by Dr. Green's Cryptography Engineering did not uncover any major flaws.
Source: http://www.securityweek.com/audit-finds-only-one-severe-vulnerability-openvpn
| Links |
printed from SoylentNews, Audit Finds Only One Severe Vulnerability in OpenVPN on 2024-05-17 19:17:50