On 06/26/2015 07:48 AM, Jan Just Keijser wrote:
On 26/06/15 13:28, Gert Doering wrote:
Hi,
On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote:
* Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
This might be an issue on OpenVPN on the server side. However,
--tls-auth will reduce the attack vector to one of your own users.
As we're not using X509_cmp_time()...
that was my initial thought as well, but X509_cmp_time might be (is)
called by OpenSSL internally to check the dates on certificates and
perhaps CRLs. It would need further investigation, I guess.
Might an in-depth investigation on these issues take more time than
building an updated installer?
Also, while David Sommerseth suggested in another email that --tls-auth
provides good mitigation, note that not everyone is using that option.
When I recently set up pfSense router, I couldn't get tls-auth working
for some reason (probably quirks on the pfSense side).
Personally, I'd feel better with an updated client since I have
customers using it to access patient health information. OpenVPN is the
only entry point into their networks, which worries me because the other
proprietary software they have is riddled with security holes
(unfortunately I have no control over this). One successful OpenSSL
exploit is all it would take to cause a disaster.
I'd offer to help update the installer, but... you don't typically want
to accept help from a stranger for building binaries...
- Joe
