Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN LZO vulnerability

    OpenVPN
    3
    5
    1064
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BismarckB
      Bismarck
      last edited by

      http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

      Because of the speed and efficiency of the algorithm, LZO has made its way into both proprietary and open source projects world-wide. It's has lived in automotive systems, airplanes, and other embedded systems for over a decade. The algorithm has even made its way into projects we use on a daily basis, such as OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, Juniper Junos, and much, much, more.

      I don't know if its critic or not, just reporting.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I may be missing something, but it reads like it needs 16+MB of data to work, and OpenVPN would compress one packet at a time (practically, no larger than 1500bytes per packet, less really with overhead).

        If OpenVPN issues a statement we may need to update, but unless someone can show it's vulnerable on OpenVPN (+FreeBSD) then it may not be a problem.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • BismarckB
          Bismarck
          last edited by

          Okay, thanks for the clarification. :)

          1 Reply Last reply Reply Quote 0
          • AhnHELA
            AhnHEL
            last edited by

            https://community.openvpn.net/openvpn/ticket/419

            AhnHEL (Angel)
            NYC

            4 *sense sites:
            Dell R210 II, Xeon 1230v2, 16GB RAM, 940/880 Mbps
            Dell R210 II, Xeon 1240v2, 8GB RAM, 940/880 Mbps
            Dell R210 II, Xeon 1220, 8GB RAM, 100/30 Mbps
            Dell 7010 Optiplex SFF, i5-3570, 16GB RAM, 100/30 Mbps

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Their analysis was better than mine but reached the same conclusion. There's no way to exploit it via OpenVPN.

              It's still difficult to exploit even using other methods.

              http://it.slashdot.org/story/14/06/28/1949243/are-the-hard-to-exploit-bugs-in-lzo-compression-algorithm-just-hype

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post