OpenVPN LZO vulnerability
-
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
Because of the speed and efficiency of the algorithm, LZO has made its way into both proprietary and open source projects world-wide. It's has lived in automotive systems, airplanes, and other embedded systems for over a decade. The algorithm has even made its way into projects we use on a daily basis, such as OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, Juniper Junos, and much, much, more.
I don't know if its critic or not, just reporting.
-
I may be missing something, but it reads like it needs 16+MB of data to work, and OpenVPN would compress one packet at a time (practically, no larger than 1500bytes per packet, less really with overhead).
If OpenVPN issues a statement we may need to update, but unless someone can show it's vulnerable on OpenVPN (+FreeBSD) then it may not be a problem.
-
Okay, thanks for the clarification. :)
-
https://community.openvpn.net/openvpn/ticket/419
-
Their analysis was better than mine but reached the same conclusion. There's no way to exploit it via OpenVPN.
It's still difficult to exploit even using other methods.
