#VU380 Access control error in OpenVPN for Windows - CVE-2016-6329
Published: September 8, 2016 / Updated: September 29, 2017
Vulnerability identifier: #VU380
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6329
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenVPN for Windows
OpenVPN for Windows
Software vendor:
OpenVPN
OpenVPN
Description
The vulnerability allows attackers to gain access to potentially sensitive information.
The vulnerability exists due to capturing of long duration Blowfish CBC mode encrypted TLS session. Repeated sending of communication protocol with parts of the plaintext helps attackers to reconstruct the secret information.
Successful exploitation of this vulnerability may allow a remote attacker to access potentially sensitive data.
Remediation
The vendor plans to issue a new version 2.3.12.