Timing attack vulnerability in OpenVPN by OpenVPN Technologies
CVE-2013-2061

Currently unrated

Key Information:

Vendor

Openvpn
Status
Openvpn
Openvpn Access Server
Vendor
CVE Published:
18 November 2013

What is CVE-2013-2061?

The openvpn_decrypt function in OpenVPN prior to version 2.3.1 is susceptible to a timing attack when operating in UDP mode. This vulnerability arises from an HMAC comparison function that does not execute in constant time, allowing remote attackers to exploit variations in execution time to gather sensitive information. Additionally, a padding oracle attack can be leveraged against the CBC mode cipher, further compromising the security of encrypted communications. It is crucial for users of affected OpenVPN versions to apply security updates promptly to mitigate this risk.

References

http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-updates/2013-11/msg000...
vendor-advisoryx_refsource_SUSE

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.