Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: pfiatde on November 13, 2023, 09:49:56 AM

Title: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: pfiatde on November 13, 2023, 09:49:56 AM
Hi,
there are two CVEs regarding OpenVPN.
https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst
Sadly, there is not much information around, but one of them is a memory leak, which might be unauthenticated.

Does anybody have more information, or would it be possible to quickly bump the version to 2.6.7 for the OpenVPN package?
The distros are slow with patches at the moment, which might mean this is not "Heartbleed" like, however the VPN is critical for our infrastructure, so ...

BR,
Matthias
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: franco on November 13, 2023, 11:47:02 AM
Hi Matthias,

Thanks for the pointer. I missed this as well.

https://github.com/opnsense/ports/commit/b9d4398ada1

But I can only offer an unvetted snapshot at the moment:

# opnsense-revert -z openvpn

The stable update has to wait for 23.7.9.


Cheers,
Franco
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: pfiatde on November 13, 2023, 12:23:35 PM
Thanks for that.
Let's wait and see how critical the vuln is. Might be from no problem up to critical...

Strictly limiting IP addresses for the VPN endpoint should at least reduce the risk.
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 13, 2023, 06:47:40 PM
Quote from: franco on November 13, 2023, 11:47:02 AM

But I can only offer an unvetted snapshot at the moment:


I have two FWs I can try it on as soon as you have time for the OpenSSL 3.x build :)
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: DEC670airp414user on November 13, 2023, 10:21:58 PM
can't update business edition with that command  :(
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 13, 2023, 10:51:24 PM
99.999% of the threads/issues/solutions posted here pertain to the community edition - unless otherwise specified.

For the Business Edition a proper announcement will be made when an update is available.
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: franco on November 14, 2023, 08:07:52 AM
To get creative... ;)

# pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/latest/All/openvpn-2.6.7.pkg

But as I said it hasn't been vetted although risk is pretty low as it's an official OpenVPN release and it builds fine. Same as 2.6.6 update really.


Cheers,
Franco
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 14, 2023, 08:19:30 AM
I would have tried it on a stock 23.7, but I'm expecting it to be tied to 1.1.1w.

I'll have to wait for the 3.x rebuild  - since I don't have anything left on 1.1.1.w
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 14, 2023, 09:19:30 AM
2.6.7 and pftop are fine on 3.0.12, thanks Franco
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: franco on November 14, 2023, 10:47:19 AM
I'm rebuilding snapshots as fast as I can ;)


Cheers,
Franco
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: franco on November 16, 2023, 08:19:39 AM
There was a regression in 23.6.7 so the port was updated again:

https://github.com/freebsd/freebsd-ports/commit/8d2e9d99db


Cheers,
Franco
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 16, 2023, 08:44:16 AM
Thank you, I'll keep an eye on it
Title: Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
Post by: newsense on November 16, 2023, 08:04:18 PM
All good so far on 2.6.7_1, no regressions spotted
Text only | Text with Images