Denial of Service Vulnerability in OpenVPN by OpenVPN Technologies
CVE-2023-46849

7.5HIGH

Key Information:

Vendor: OpenVPN
Status: OpenVPN 2 (Community); Access Server
Vendor: CVE Published:; 11 November 2023

Summary

A vulnerability exists in OpenVPN versions 2.6.0 to 2.6.6 when using the --fragment option in certain configuration scenarios. This issue allows an attacker to exploit a divide by zero condition, potentially triggering application crashes and resulting in a denial of service. Users of the affected versions are encouraged to upgrade to the latest version to mitigate the risk associated with this vulnerability.

Affected Version(s)

Access Server Linux 2.11.0 <= 2.11.3

Access Server Linux 2.12.0 <= 2.12.1

OpenVPN 2 (Community) 2.6.0 <= 2.6.6

References

https://community.openvpn.net/openvpn/wiki/CVE-2023-46849

https://openvpn.net/security-advisory/access-server-secur...

https://www.debian.org/security/2023/dsa-5555

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 11, 2023
Vulnerability Reserved
Oct 27, 2023