• Diese Seite verwendet Cookies. Indem du diese Website weiterhin nutzt, erklärst du dich mit der Verwendung von Cookies einverstanden. Erfahre mehr

Kritische Lücke im OpenVPN Server

Illuminatus

in geheimer Mission
#2
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.

In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys.