OpenVPN 2.6.7 arrives addressing two security issues

The launch of the new version of OpenVPN 2.6.7 was recently announced, which is a version that implements the solution to two security problems that are considered serious, as well as implementations of warnings, among other things. .

For those who are unfamiliar with OpenVPN, you should know that this is a free software based connectivity tool, SSL (Secure Sockets Layer), VPN Virtual Private Network.

openvpn offers point-to-point connectivity with hierarchical validation of connected users and hosts remotely. It is a very good option in Wi-Fi technologies (IEEE 802.11 wireless networks) and supports a wide configuration, including load balancing.

Main new features of OpenVPN 2.6.7

As already mentioned at the beginning, this new version of OpenVPN 2.6.7 highlights the solution to two serious security problems, which the first of them is vulnerability CVE-2023-46850, which is caused by memory usage upon release could cause the contents of the process memory to be sent to the other side of the connection and potentially lead to remote code execution. The problem occurs in configurations that use TLS (run without the “–secret” option).

The other security problems which was addressed in this new version, is CVE-2023-46849, which is caused by a division by zero situation, can cause a remote access server failure in configurations that use the “–fragment” option.

Regarding the changes implemented in this release of OpenVPN 2.6.7, it is highlighted that added a warning when the other side sends DATA_V1 packets when trying to connect an OpenVPN 2.6.x client to incompatible servers based on versions 2.4.0-2.4.4 (d´r can use the “–disable-dco” option to resolve the incompatibility).

In addition to it, also added a warning when connecting an NCP p2p client to a p2mp server (merging used to work without encryption negotiation) as there are problems using 2.6.x versions on both sides of the connection.

Removed a deprecated method linked to OpenSSL 1.x which uses the OpenSSL engine to load keys. The reason cited is the author's reluctance to relicense the code with new link exceptions.

Of the other changes that stand out from this new version:

• Added a warning that the “–show-groups” flag does not show all supported groups.
• In the “–dns” parameter, processing of the “exclude-domains” argument, which appeared in the 2.6 branch, but is not yet supported on servers, has been removed.
• Added a warning that will be displayed if the INFO control message is too large to forward to the client.
• For builds using MinGW and MSVC, support for the CMake build system has been added.
• Removed support for the old MSVC build system.
• log OpenSSL errors if the certificate is not set, for example if the algorithms used are acceptable to OpenSSL (a misleading message would be printed in cryptoapi/pkcs11 scenarios)
• Added CMake build system for MinGW and MSVC builds
• Improved cmocka unit test construction for Windows

Finally, if you are interested in knowing more about it, you can consult the details In the following link.

How to install OpenVPN on Ubuntu and derivatives?

For those interested in being able to install OpenVPN on their system, you should know that they can do it by following the instructions which are shared on the official OpenVPN website. The link is this.

Although One of the easiest methods to install OpenVPN is with the help of a script installation that greatly facilitates the installation and configuration process. To do this we are going to download the following script with:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

And we proceed to run the script as root and have the TUN module enabled:

./openvpn-install.sh

During the process you will have to follow the wizard and answer some questions to configure your VPN server and once the process is finished and OpenVPN is installed, you can run the script again and you will have the option to:

1. Add a client
2. Delete a customer
3. Uninstall OpenVPN