oss-sec mailing list archives
CVE request: OpenVPN use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 6 May 2013 10:33:38 -0600
Could a CVE be assigned to this issue? Copying and pasting from the upstream announcement: Exploit summary OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested. Severity OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective. The severity of this vulnerability can be considered low. Only if OpenVPN is configured to use a null-cipher, arbitrary plain-text can be injected which can completely open up this attack vector. Affected versions OpenVPN 2.3.0 and earlier are vulnerable. A fix (commit f375aa67cc) is included in OpenVPN 2.3.1 and later. References: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee https://bugs.gentoo.org/show_bug.cgi?id=468756 https://bugzilla.redhat.com/show_bug.cgi?id=960192 --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: OpenVPN use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt Vincent Danen (May 06)