Main Vulnerability Database Vulnerabilities #VU8637

Buffer overflow in OpenVPN for Windows - CVE-2017-12166

Published: September 29, 2017 / Updated: September 29, 2017

Vulnerability identifier: #VU8637

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-12166

CWE-ID: CWE-119

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenVPN

Affected software:
OpenVPN for Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in the read_key() function when "Key Method 1" is used. A remote unauthenticated attacker can send a specially crafted key, trigger buffer overflow and cause denial of service or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2017-12166

Update to version 2.4.4 or 2.3.18.

Sources

https://community.openvpn.net/openvpn/wiki/CVE-2017-12166

Buffer overflow in OpenVPN for Windows - CVE-2017-12166

Detailed vulnerability description

How to mitigate CVE-2017-12166

Sources

Please verify you're human