CVE-2005-2533
CVSS2.1
发布时间 :2005-08-24 00:00:00
修订时间 :2008-09-05 16:52:00
NMCOP    

[原文]OpenVPN before 2.0.1, when running in "dev tap" Ethernet bridging mode, allows remote authenticated clients to cause a denial of service (memory exhaustion) via a flood of packets with a large number of spoofed MAC addresses.


[CNNVD]OpenVPN多个拒绝服务漏洞(CNNVD-200508-286)

        OpenVPN是一个基于OpenSSL库的应用层VPN实现。
        OpenVPN中存在多个拒绝服务漏洞,具体如下:
        如果到服务器的客户端连接证书认证失败的话,就无法刷新OpenSSL错误队列,导致服务器上另一个无关的客户端例程看到错误并响应该错误,这样无关的客户端就会断开连接。(CAN-2005-2531)
        如果无法在服务器上解密客户端发送的报文的话,就无法刷新OpenSSL错误队列,导致服务器上另一个无关的客户端例程看到错误并响应该错误,这样无关的客户端就会断开连接。(CAN-2005-2532)
        理论上"dev tap"以太网桥接模式中的恶意客户端可以用看起来好像来自很多不同MAC地址的报文充斥服务器,导致OpenVPN进程在扩展其内部路由表时耗尽系统虚拟内存。(CAN-2005-2533)
        如果服务器中没有启用--duplicate-cn,则在两个或多个客户端机器同时通过TCP使用相同的客户端证书试图连接到服务器时,竞争条件会导致服务器"Assertion failed at mtcp.c:411"崩溃。(CAN-2005-2534)

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:openvpn:openvpn:2.0_rc11
cpe:/a:openvpn:openvpn:2.0_rc14
cpe:/a:openvpn:openvpn:2.0_rc4
cpe:/a:openvpn:openvpn:2.0_test21
cpe:/a:openvpn:openvpn:2.0_test22
cpe:/a:openvpn:openvpn:2.0_beta19
cpe:/a:openvpn:openvpn:2.0_rc5
cpe:/a:openvpn:openvpn:2.0_test27
cpe:/a:openvpn:openvpn:2.0_beta28
cpe:/a:openvpn:openvpn:2.0_rc16
cpe:/a:openvpn:openvpn:2.0_test1
cpe:/a:openvpn:openvpn:2.0_rc15
cpe:/a:openvpn:openvpn:2.0_beta6
cpe:/a:openvpn:openvpn:2.0_beta18
cpe:/a:openvpn:openvpn:2.0_beta8
cpe:/a:openvpn:openvpn:2.0_beta13
cpe:/a:openvpn:openvpn:2.0_test11
cpe:/a:openvpn:openvpn:2.0_rc9
cpe:/a:openvpn:openvpn:2.0.1_rc2
cpe:/a:openvpn:openvpn:2.0_rc1
cpe:/a:openvpn:openvpn:2.0_test6
cpe:/a:openvpn:openvpn:2.0_beta9
cpe:/a:openvpn:openvpn:2.0.1_rc1
cpe:/a:openvpn:openvpn:2.0_rc12
cpe:/a:openvpn:openvpn:2.0_test5
cpe:/a:openvpn:openvpn:2.0_test9
cpe:/a:openvpn:openvpn:2.0_rc2
cpe:/a:openvpn:openvpn:2.0.1_rc3
cpe:/a:openvpn:openvpn:2.0_test3
cpe:/a:openvpn:openvpn:2.0_test10
cpe:/a:openvpn:openvpn:2.0_test20
cpe:/a:openvpn:openvpn:2.0_test8
cpe:/a:openvpn:openvpn:2.0_rc6
cpe:/a:openvpn:openvpn:2.0_rc13
cpe:/a:openvpn:openvpn:2.0_beta16
cpe:/a:openvpn:openvpn:2.0_rc17
cpe:/a:openvpn:openvpn:2.0_rc10
cpe:/a:openvpn:openvpn:2.0_beta12
cpe:/a:openvpn:openvpn:2.0_test7
cpe:/a:openvpn:openvpn:2.0_beta20
cpe:/a:openvpn:openvpn:2.0.1_rc4
cpe:/a:openvpn:openvpn:2.0_beta7
cpe:/a:openvpn:openvpn:2.0_rc20
cpe:/a:openvpn:openvpn:2.0_test23
cpe:/a:openvpn:openvpn:2.0.1_rc6
cpe:/a:openvpn:openvpn:2.0_beta1
cpe:/a:openvpn:openvpn:2.0_test18
cpe:/a:openvpn:openvpn:2.0_rc21
cpe:/a:openvpn:openvpn:2.0_test17
cpe:/a:openvpn:openvpn:2.0_test14
cpe:/a:openvpn:openvpn:2.0_beta4
cpe:/a:openvpn:openvpn:2.0_rc19
cpe:/a:openvpn:openvpn:2.0_test2
cpe:/a:openvpn:openvpn:2.0_beta11
cpe:/a:openvpn:openvpn:2.0_beta3
cpe:/a:openvpn:openvpn:2.0_rc8
cpe:/a:openvpn:openvpn:2.0_beta15
cpe:/a:openvpn:openvpn:2.0_test15
cpe:/a:openvpn:openvpn:2.0_test29
cpe:/a:openvpn:openvpn:2.0_beta5
cpe:/a:openvpn:openvpn:2.0
cpe:/a:openvpn:openvpn:2.0_test26
cpe:/a:openvpn:openvpn:2.0_beta10
cpe:/a:openvpn:openvpn:2.0_test24
cpe:/a:openvpn:openvpn:2.0_test16
cpe:/a:openvpn:openvpn:2.0_rc18
cpe:/a:openvpn:openvpn:2.0_beta17
cpe:/a:openvpn:openvpn:2.0_test12
cpe:/a:openvpn:openvpn:2.0_test19
cpe:/a:openvpn:openvpn:2.0.1_rc5
cpe:/a:openvpn:openvpn:2.0.1_rc7
cpe:/a:openvpn:openvpn:2.0_beta2
cpe:/a:openvpn:openvpn:2.0_rc3
cpe:/a:openvpn:openvpn:2.0_rc7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2533
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2533
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-286
(官方数据源) CNNVD

- 其它链接及资源

http://www.mandriva.com/security/advisories?name=MDKSA-2005:145
(VENDOR_ADVISORY)  MANDRIVA  MDKSA-2005:145
http://www.debian.org/security/2005/dsa-851
(UNKNOWN)  DEBIAN  DSA-851
http://secunia.com/advisories/17103
(UNKNOWN)  SECUNIA  17103
http://secunia.com/advisories/16463
(UNKNOWN)  SECUNIA  16463
http://openvpn.net/changelog.html
(UNKNOWN)  CONFIRM  http://openvpn.net/changelog.html

- 漏洞信息

OpenVPN多个拒绝服务漏洞
低危 未知
2005-08-24 00:00:00 2005-10-20 00:00:00
本地  
        OpenVPN是一个基于OpenSSL库的应用层VPN实现。
        OpenVPN中存在多个拒绝服务漏洞,具体如下:
        如果到服务器的客户端连接证书认证失败的话,就无法刷新OpenSSL错误队列,导致服务器上另一个无关的客户端例程看到错误并响应该错误,这样无关的客户端就会断开连接。(CAN-2005-2531)
        如果无法在服务器上解密客户端发送的报文的话,就无法刷新OpenSSL错误队列,导致服务器上另一个无关的客户端例程看到错误并响应该错误,这样无关的客户端就会断开连接。(CAN-2005-2532)
        理论上"dev tap"以太网桥接模式中的恶意客户端可以用看起来好像来自很多不同MAC地址的报文充斥服务器,导致OpenVPN进程在扩展其内部路由表时耗尽系统虚拟内存。(CAN-2005-2533)
        如果服务器中没有启用--duplicate-cn,则在两个或多个客户端机器同时通过TCP使用相同的客户端证书试图连接到服务器时,竞争条件会导致服务器"Assertion failed at mtcp.c:411"崩溃。(CAN-2005-2534)

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://openvpn.net/release/openvpn-2.0.1.tar.gz

- 漏洞信息 (F40556)

Debian Linux Security Advisory 851-1 (PacketStormID:F40556)
2005-10-11 00:00:00
Debian  security.debian.org
advisory
linux,debian
CVE-2005-2531,CVE-2005-2532,CVE-2005-2533,CVE-2005-2534
[点击下载]

Debian Security Advisory DSA 851-1 - Several security related problems have been discovered in openvpn, a Virtual Private Network daemon.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 851-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 9th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openvpn
Vulnerability  : programming errors
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2531 CAN-2005-2532 CAN-2005-2533 CAN-2005-2534
Debian Bug     : 324167

Several security related problems have been discovered in openvpn, a
Virtual Private Network daemon.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CAN-2005-2531

    Wrong processing of failed certificate authentication when running
    with "verb 0" and without TLS authentication can lead to a denial
    of service by disconnecting the wrong client.

CAN-2005-2532

    Wrong handling of packets that can't be decrypted on the server
    can lead to the disconnection of unrelated clients.

CAN-2005-2533

    When running in "dev tap" Ethernet bridging mode, openvpn can
    exhaust its memory by receiving a large number of spoofed MAC
    addresses and hence denying service.

CAN-2005-2534

    Simultaneous TCP connections from multiple clients with the same
    client certificate can cause a denial of service when
    --duplicate-cn is not enabled.

The old stable distribution (woody) does not contain openvpn packages.

For the stable distribution (sarge) these problems have been fixed in
version 2.0-1sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 2.0.2-1.

We recommend that you upgrade your openvpn package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1.dsc
      Size/MD5 checksum:      629 1fee867074a153eac1f82d11e75aa833
    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1.diff.gz
      Size/MD5 checksum:    51566 578da11dd408ea72e4791646e700dac4
    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0.orig.tar.gz
      Size/MD5 checksum:   639201 7401faebc6baee9add32608709c54eec

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_alpha.deb
      Size/MD5 checksum:   347184 ed8f3706d9f7af8b4baf148786141e5a

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_amd64.deb
      Size/MD5 checksum:   316422 3dfdd5a007c62ceb28153e63677a884a

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_arm.deb
      Size/MD5 checksum:   296464 20f23e0a9f251eedc340e926f455c8e0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_i386.deb
      Size/MD5 checksum:   302424 fe92352695fd5fdfa85a4ffea6b7cffe

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_ia64.deb
      Size/MD5 checksum:   395514 04207a2bfd92cd56c79a4d434f514bee

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_hppa.deb
      Size/MD5 checksum:   316716 8065982ef523c653e8d25bedf716fb03

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_m68k.deb
      Size/MD5 checksum:   276388 33de460a73afad6cb44a6753ea862c27

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_mips.deb
      Size/MD5 checksum:   317632 d8f4dd1ea4fce2c4c48a3e096d3da12c

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_mipsel.deb
      Size/MD5 checksum:   319404 c9a918128a56462a98049b160bfeb9d0

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_powerpc.deb
      Size/MD5 checksum:   308772 1f7300816c44924fc10b5ba6e59ff00c

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_s390.deb
      Size/MD5 checksum:   307220 bf9b59dab82ff1bd49ce7b4a3c9f2d7f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge1_sparc.deb
      Size/MD5 checksum:   294696 503317cf10f2976dffa8d25056517925


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSMNpW5ql+IAeqTIRAhe+AJ0YU15iLXkzRvh4BEzqk7ExiHl6yQCffZD7
19wKkfAe6Mq6/1UJTEZUOHQ=
=GGrL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

18884
OpenVPN Client Spoofed MAC Address Saturation DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站