Hi,
On Fri, Jun 23, 2017 at 08:05:40AM +1200, Jason Haar wrote:
> Does using tls-auth protect against these latest security issues? ie if you
> are running older versions but require tls-auth, then would that block
> attacks from hackers who don't have your tls-auth file?
There's a big bag of vulnerabilities in there. Most of them are relevant
in special cases only, so "if you do not use a proxy with NLMv2 auth",
you're not vulnerable to that one (but if you do, tls-auth will not help
as it's failing on connection setup).
Actually, I just went through the logs, and tls-auth will not(!) protect
you in any of the cases.
CVEs 2017-7520, 2017-7521 and 2017-7522 are somewhat niche cases - you
need to use an NTLMv2 authenticating proxy, '--x509-username-field' or
'--x509-track' (on the server) to be vulnerable.
CVE 2017-7508 affects anyone who is using IPv6 *inside* the tunnel, has
--mssfix enabled, and is not using a firewall on the outside that will
sanitize broken IPv6 packets (like BSD's pf(4) would do). In that case,
someone from out there in the wild could send a malformed IPv6 packet
that makes the server ASSERT().
So: if you use tunneled IPv6 in your VPN, and bored kids can find
out which networks you use internally in the VPN and can send packets
there, upgrade.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users