Double free memory error in OpenVPN

#VU12129 Double free memory error in OpenVPN

Published: 2018-04-24

Vulnerability identifier: #VU12129

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9336

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenVPN
Server applications / Remote access servers, VPN

Vendor: openvpn.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to double-free memory error in Interactive Service. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation
Update to version 2.4.6.

Vulnerable software versions

OpenVPN: 2.4.0 - 2.4.5

External links
http://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Double free memory error in openvpn (Alpine package)

OpenSUSE Linux update for openvpn

Slackware Linux update for openvpn

Denial of service in OpenVPN