CVE-2023-46850: OpenVPN Access Server Flaw Exposes Sensitive Data, RCE Possible

OpenVPN Access Server, a popular open-source VPN solution, has been patched to address two vulnerabilities that could allow attackers to gain unauthorized access to sensitive information.

The vulnerabilities, CVE-2023-46849 and CVE-2023-46850, affect OpenVPN Access Server versions 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, and 2.12.1. These versions contain a copy of OpenVPN 2.6 that has two vulnerabilities in it:

CVE-2023-46849: Division by Zero Crash

The first vulnerability, CVE-2023-46849, is a division by zero crash that can occur when the OpenVPN Access Server is configured with the –fragment option enabled. While this configuration is not part of the default setup, some users may have explicitly enabled it. If exploited, this vulnerability could potentially crash the OpenVPN Access Server, disrupting VPN connectivity and potentially exposing sensitive data.

CVE-2023-46850: Use-After-Free Memory Security Issue

The second vulnerability, CVE-2023-46850, is a more severe use-after-free memory security issue that could allow attackers to leak sensitive information from the OpenVPN Access Server’s memory. In extreme cases, this vulnerability could also potentially lead to remote code execution, enabling attackers to take control of the affected server.

“OpenVPN 2.6 from v2.6.0 up to and including v.2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using –secret) are affected by this issue,” read the security advisory.

Immediate Upgrade to OpenVPN Access Server 2.12.2

To mitigate these critical vulnerabilities, OpenVPN has released version 2.12.2 of OpenVPN Access Server, which incorporates the newly released OpenVPN 2.6.7 that addresses both vulnerabilities. All users of OpenVPN Access Server versions 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, or 2.12.1 are strongly urged to upgrade to version 2.12.2 immediately to protect their systems from potential exploitation.

Protecting Your VPN Security

In addition to upgrading to the latest version of OpenVPN Access Server, it is crucial to implement additional security measures to safeguard your VPN infrastructure:

  1. Regularly Update Software: Keep your VPN software and operating system up to date with the latest security patches.

  2. Strong Password Enforced: Enforce strong password policies for all VPN users, including minimum password length, complexity requirements, and regular password changes.

  3. Two-Factor Authentication: Implement two-factor authentication (2FA) for an additional layer of security when accessing the VPN.

  4. VPN Access Restrictions: Restrict VPN access to authorized users and devices, limiting access to only those who genuinely require it.

  5. Network Monitoring: Continuously monitor your VPN network for suspicious activity or unauthorized access attempts.