Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Vulnerability CVE-7521

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    22 Posts 10 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      More info:

      https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Client Export is already updated with installers for OpenVPN 2.4.3 and 2.3.17

        pfSense 2.4 snapshots have OpenVPN 2.4.3 right now

        pfSense 2.3.5 snapshots have OpenVPN 2.3.17 right now

        pfSense 2.3.4 will have something very soon. We have a 2.3.4-p1 release pending but there are a few blockers yet (like a fix from FreeBSD for the recent Stack Clash issue). We're experimenting with a way to have OpenVPN update to 2.3.17 as a part of the client export package update but it isn't working in an ideal way yet. At worst you might have to "pkg update; pkg upgrade -y openvpn23; /etc/rc.openvpn" (don't actually run this yet, it won't do anything until/unless we put a new OpenVPN up)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          guy3145
          last edited by

          is it possible to update only the openvpn package?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It is possible, yes, but without some code to make sure other things happen like restarting all OpenVPN instances, it's not ideal. The last part of my post above would do exactly what you asked, if we provide an updated package on its own. Since FreeBSD has now published a fix for the Stack Clash issue we'll probably have an update out for all of this shortly.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              We have pushed an updated OpenVPN package out for 2.4.3 since the -p1 release is still held up waiting on Stack Clash.

              Details and update instructions are here: https://www.netgate.com/blog/important-update-for-openvpn.html

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • demD
                dem
                last edited by

                Jim, your blog post says, "We strongly recommend all users upgrade…". To clarify, does that mean "all users who use OpenVPN" or "all pfSense users"?

                Thanks.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Even if you don't use it now, I'd update it anyhow so it doesn't become an issue if you decide to turn it on later and haven't updated anything yet.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • demD
                    dem
                    last edited by

                    OK, thanks. Since I have no plans to use it I'll upgrade when convenient rather than immediately.

                    1 Reply Last reply Reply Quote 0
                    • A
                      ashes00
                      last edited by

                      @jimp:

                      We have pushed an updated OpenVPN package out for 2.4.3 since the -p1 release is still held up waiting on Stack Clash.

                      Details and update instructions are here: https://www.netgate.com/blog/important-update-for-openvpn.html

                      Hey jimp, thanks for all your help over the years here!  Do we have a time frame for when 2.4.3-p1 will be available?  I would really like to update this the official way.  Side Note:  I have read the netgate blog, but prefer the standard update method.  Thanks in advance

                      ,smAsh

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        We don't have a timeline from FreeBSD on when things will be settled there. If you keep an eye on FreeBSD news/announcements, once you see them release a Security Advisory for the Stack Clash stuff then we'll be following behind them shortly. Everything else is ready for the release I believe.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • A
                          anajames
                          last edited by

                          @Dave:

                          OK, thanks. Since I have no plans to use it I'll upgrade when convenient rather than immediately.

                          Guess will be doing the same, so far it is good.

                          1 Reply Last reply Reply Quote 0
                          • A
                            ashes00
                            last edited by

                            @jimp:

                            We don't have a timeline from FreeBSD on when things will be settled there. If you keep an eye on FreeBSD news/announcements, once you see them release a Security Advisory for the Stack Clash stuff then we'll be following behind them shortly. Everything else is ready for the release I believe.

                            Jimp Good morning sir.  Please don't take this personally, but I need to put this out there since its related to the security of a major piece of PFsense.  NetGate needs to understand that the Stack Clash is a local exploitation problem while the OpenVPN items are a remote exploitation problem.  I believe that a remote exploitation problem takes precedence over a local exploitation problem, and I'm sure most admins would agree.  To hear that Netgate is holding up the official PFsense update patch waiting for the upstream to patch a lesser local problem is very concerning.  The reason I'm being vocal about this is because I love PFsense.  It is decisions like these out of Netgate that has me concerned for the future security of PFsense.  Don't get me wrong I know I can manually patch from the command line, but that blog post & patch method in itself is yet another indicator of concern.  Just push out an official patch ASAP!  I do not feel that the folks at Netgate are taking security as seriously as they should.  Side Note:  I am not seeing much discussion online about Security Advisories for FreeBSD 10.3 & Stack Clash.  Who knows when that will be dropped.

                            I am sure I will ruffle some feathers of others, and I'm sorry.  I'm not trying to be a troll dick.  I'm just trying to voice concern over a security issue being held up when it should not be.  Thanks for allowing me to be a part of the PFsense community even if I do not agree with how this security issue is being handled.

                            NETGATE PLEASE release an official patch, and handle the Stack Clash afterwards.  Thank you

                            smAsh,

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Those concerns are why we put out the announcement and update packages we did.

                              We don't want to put out a 2.3.4-p1 and then a few days later put out another 2.3.4-p2 going through two lengthy testing and release cycles back-to-back.

                              Also, under the correct conditions, Stack Clash can be remotely exploited.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • A
                                ashes00
                                last edited by

                                I'm sorry I was unaware that Stack Clash was remotely exploitable.  My research did not find that piece of information, only local exploitation.  I' be quit now, and wait for the official update.  Thanks Jimp

                                smAsh,

                                1 Reply Last reply Reply Quote 0
                                • H
                                  Harvy66
                                  last edited by

                                  @ashes00:

                                  I'm sorry I was unaware that Stack Clash was remotely exploitable.  My research did not find that piece of information, only local exploitation.  I' be quit now, and wait for the official update.  Thanks Jimp

                                  smAsh,

                                  I think he meant it in the way that any local exploit could potentially be coupled with a remote exploit.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    @Harvy66:

                                    @ashes00:

                                    I'm sorry I was unaware that Stack Clash was remotely exploitable.  My research did not find that piece of information, only local exploitation.  I' be quit now, and wait for the official update.  Thanks Jimp

                                    I think he meant it in the way that any local exploit could potentially be coupled with a remote exploit.

                                    While that is true, there is also this:

                                    https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash

                                    Is it exploitable remotely?

                                    Our research has mainly focused on local exploitation: as of this writing on June 19, 2017, we do not know of any remotely exploitable application. However, remote exploitation of the Stack Clash is not excluded; although local exploitation will always be easier, and remote exploitation will be very application-specific. The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck.

                                    They didn't test many applications, and the one they did test happened to not be exploitable, but the possibility still exists.

                                    It's dangerous to assume it's local only given the context.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      Harvy66
                                      last edited by

                                      I was always under the impression that the stack was a fixed size, which is why you can configure the size and if your stack gets greater than that size, you get a stack overflow. When did stacks start to "grow automatically"?! Unless they're talking about the stack being thinly allocated via zero pageing it.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        cadince
                                        last edited by

                                        @jimp:

                                        We have pushed an updated OpenVPN package out for 2.4.3 since the -p1 release is still held up waiting on Stack Clash.

                                        Details and update instructions are here: https://www.netgate.com/blog/important-update-for-openvpn.html

                                        Will any of these methods still work for those of us on 2.3.3 who haven't updated to 2.3.4 as yet?  If possible, I'd like to get this fix installed without doing a full system upgrade yet (since there's a new version coming out so soon anyways for the StackClash vulnerability).

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          No, the update is only available to people on 2.3.4

                                          However, if you update from 2.3.3 to 2.3.4 now, you'll pick up the new OpenVPN during the update automatically.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • beremonavabiB
                                            beremonavabi
                                            last edited by

                                            From those instructions, I chose option #2:

                                            If a firewall currently has the OpenVPN Client Export package installed:

                                            Update the package to version 1.4.12 or later from System > Package Manager on the Installed Packages tab, which will also update openvpn in the base system.
                                            Manually restart each instance of OpenVPN from Status > Services or reboot the firewall.

                                            All looks good.  Running "pkg info -x openvpn" from Diagnostics > Command Prompt gives me:

                                            openvpn-client-export-2.4.3_3
                                            openvpn23-2.3.17
                                            pfSense-pkg-openvpn-client-export-1.4.12
                                            

                                            The one thing I'm unclear about is the third paragraph in the article:

                                            Users of the OpenVPN Client Export package should also update that package on pfSense installations (See item #2 below), and update all client devices with the latest version of OpenVPN. The latest version of the OpenVPN Client Export Package (1.4.9 or later) contains Windows installers for OpenVPN 2.4.3 and 2.3.17. Re-running an exported installer will not update the client; OpenVPN must be removed from the client first before installing a new exported client. Alternately, manually download and install the latest client directly from OpenVPN (that's https://openvpn.net/index.php/open-source/downloads.html).

                                            I'm assuming by "update all client devices with the latest version of OpenVPN," that means (in my case) the OpenVPN for Android app I installed on my Android phones.  Since the phones automatically updated that and the "What's New" for the app says it fixed CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, and CVE-2017-7522, I again assume I don't have to do anything with the phone app.  But, do I have to re-export the profiles from pfSense (I originally exported the Inline Configurations for Android and pointed OpenVPN for Android on the phones at them)?

                                            SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.