OpenSSL v3.1.4.0 libcrypto-3-x64.dll & libssl-3-x64.dll vulnerabilities.

[webshaun]

IMPORTANT NOTE Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net

Describe the bug The current version of OpenSSL in paths \openvpn\bin\libcrypto-3-x64.dll and \openvpn\bin\libssl-3-x64.dll have reached end of support and vulnerable to: CVE-2023-4807 CVE-2023-5363 CVE-2023-3817 CVE-2023-5678

Microsoft Security is detecting this weakness on any system with OpenVPN installed.

To Reproduce

Expected behavior

Version information (please complete the following information):

• At least Windows, possibly others.

Additional context Any word when these libraries will be updated?

[cron2]

This ticket is a bit lacking in "which version of OpenVPN does it refer to?" (especially as you kept the part about OpenVPN Connect) - but I just checked and indeed, 2.6.8 ships OpenSSL 3.1.4.

Of the CVEs given, only the first one might affect OpenVPN, but we're not actively using XMM registers and as far as I know, MSVC isn't either. But still, upsetting security tools is not a good way to build a good reputation :-) - so we'll look into this.

@lstipakov @flichtenheld ISTR we depend on vcpkg defaults here for "which version of OpenSSL do we include", right? Is there anything newer, so it would make sense to build a new 2.6.8 installer "soonish", before 2.6.9 is released?

[flichtenheld]

Not sure what the tool is smoking:

CVE-2023-4807: fixed in 3.1.3 (https://www.openssl.org/news/secadv/20230908.txt) CVE-2023-5363: fixed in 3.1.4 (https://www.openssl.org/news/secadv/20231024.txt) CVE-2023-3817: fixed in 3.1.2 (https://www.openssl.org/news/secadv/20230731.txt) CVE-2023-5678: not fixed in 3.1.4, but I can't see how this would be able to affect OpenVPN (https://www.openssl.org/news/secadv/20231106.txt)

So no, don't think this is worth fixing.

[flichtenheld]

Maybe this is not about 2.6.8?

[flichtenheld]

@webshaun Can you please show exactly which version of OpenVPN client triggers this warning?

[webshaun]

I'm sorry, I didn't mention the version. I've been sitting on this warning across all my customer's systems for the last few months, but I've tested the very latest version, 2.6.8. It's still packaging this vulnerable OpenSSL library. Microsoft 365 Defender vulnerability management is reporting this. I found this link online that describes the same issue in another app. https://gitlab.gnome.org/GNOME/gimp/-/issues/10377

[schwabe]

The vulnerability CVE-2023-5678 is considered so minor that not even the OpenSSL project publishes a new OpenSSL version.

[webshaun]

I'm not worried about the CVE's. I'm worried about the fact that it's being flagged and reducing my customer's secure score. Until the OpenSSL libraries packaged in the Windows installer are updated, it will continue to be flagged. Why not just update the libraries and get it over with? An active exploit might not be available but that doesn't change the fact that you're going to continue to have admins coming in asking about this until it's fixed.

[schwabe]

@webshaun There is no library to update to. The latest library that is available from OpenSSL itself is 3.1.4. There is no 3.1.5 that we even could update to. We are already on latest available OpenSSL library that is considered secure from the OpenSSL project.

[flichtenheld]

@schwabe 3.2.0 is published which fixes that CVE.

[schwabe]

@flichtenheld yeah but only because the technicality that 3.2.0 release was delayed and therefore managed to have that fix commited. But what I wanted to stress is that we are running the latest release from the still support OpenSSL 3.1.x branch.

[webshaun]

@webshaun There is no library to update to. The latest library that is available from OpenSSL itself is 3.1.4. There is no 3.1.5 that we even could update to. We are already on latest available OpenSSL library that is considered secure from the OpenSSL project.

I'm sorry, I'm not a developer. I wasn't aware that there isn't a new version of OpenSSL.

[flichtenheld]

2.6.9 was released built against OpenSSL 3.2.0. Let's close this issue.