Hi, On Fri, Jun 23, 2017 at 08:05:40AM +1200, Jason Haar wrote: > Does using tls-auth protect against these latest security issues? ie if you > are running older versions but require tls-auth, then would that block > attacks from hackers who don't have your tls-auth file?
There's a big bag of vulnerabilities in there. Most of them are relevant
in special cases only, so "if you do not use a proxy with NLMv2 auth",
you're not vulnerable to that one (but if you do, tls-auth will not help
as it's failing on connection setup).
Actually, I just went through the logs, and tls-auth will not(!) protect
you in any of the cases.
CVEs 2017-7520, 2017-7521 and 2017-7522 are somewhat niche cases - you
need to use an NTLMv2 authenticating proxy, '--x509-username-field' or
'--x509-track' (on the server) to be vulnerable.
CVE 2017-7508 affects anyone who is using IPv6 *inside* the tunnel, has
--mssfix enabled, and is not using a firewall on the outside that will
sanitize broken IPv6 packets (like BSD's pf(4) would do). In that case,
someone from out there in the wild could send a malformed IPv6 packet
that makes the server ASSERT().
So: if you use tunneled IPv6 in your VPN, and bored kids can find
out which networks you use internally in the VPN and can send packets
there, upgrade.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
