Synology-SA-17:23 OpenVPN

Abstract

CVE-2017-7508 can allow remote attackers to cause a denial of service for either server or client.

CVE-2017-7520 can allow man-in-the-middle attackers to steal the password of HTTP proxy server.

CVE-2017-7521 can allow remote users to obtain server information from process memory.

CVE-2017-7522 does not affect any Synology products.

Severity

Low

CVSSv3 Base Score: N/A

Affected

• Products
  • DSM 6.1
  • DSM 6.0
  • SRM 1.1
  • VPN Server 1.3.5-2761 and earlier
  • VPN Plus Server 1.1.1-1031 and earlier
• Models
  • All Synology models

Description

• CVE-2017-7508
  Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), and change the ASSERT() check in mss_fixup_dowork() into a simple "return" (= the TCP header will simply not be inspected further).

• CVE-2017-7520
  If clients use a HTTP proxy with NTLM authentication (i.e. "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"), a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password.

• CVE-2017-7521
  Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack.
  When using the --x509-alt-username option on openssl builds with an extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the code would not free all allocated memory. Fix this by using the proper free function.

• CVE-2017-7522
  asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained a NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NULcharacter. Impact analysis:
  * applies to mbedtls builds only
  * introduced in 2.4 (so 2.3 is not affected)
  * can only be exploited if the --x509-track option is used
  * requires the CA to sign a certificate with an embedded NUL in the certificate subject

Mitigation

We are now working on a solution to this vulnerability. For an immediate workaround, please contact us at security@synology.com.

Update Availability

To fix the security issue, please update DSM 6.0 and DSM 6.1 to 6.2-23739 or above, update SRM 1.1 to 1.2.5-8225 or above, update VPN Server to 1.3.6-2765 or above and update VPN Plus Server to 1.4.0-0529 or above.

References

• https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
• https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522