specially crafted network packet lead to buffer overrun and process
crash. working exploit was provided by Cisco Talos team.
An integer underflow vulnerability exists in the vpnserver
OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A
specially-crafted network packet can lead to denial of service. An
attacker can send a malicious packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by
Talos or confirmed to be vulnerable by the vendor.
SoftEther VPN 5.01.9674
SoftEther VPN 5.02
While 5.01.9674 is a development version, it is distributed at the time
of writing by Ubuntu and other Debian-based distributions.
Before change, contiguous whitespaces appeared in version string.
This room is for beta string (such as Alpha, Beta) and beta number but
it looks a bit odd if the build is not alpha/beta/RC.
> Version 5.02 Build 5180 Alpha 3 (Japanese)
> Version 5.02 Build 5180 Beta 3 (Japanese)
> Version 5.02 Build 5180 Release Candidate 3 (Japanese)
> Version 5.02 Build 5180 (Japanese)
> ^^^
Now version string looks neat like this:
> Version 5.02 Build 5180 (Japanese)
> Version 5.02 Build 5180 Release Candidate 3 (Japanese)
On FreeBSD the stock code will attempt to expand the interface MTU any time a packet is to be sent that exceeds the current MTU. This results in a down/up on the interface that is wildly disruptive to existing services on that adapter and, eventually, is likely to run into MTU limits and start logging failures, even with jumbo-frame capable adapters. Thus if compiling on a FreeBSD machine disable this capability. Tested against 12.3-STABLE and 13.1-STABLE on v4.38-9760 from the FreeBSD ports tree but likely applies here as well; see bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267178
OpenVPN always allowed 8 ACKs in P_ACK_V1 packets but only used
up to 4 in other control packets. Since Softether drops all packets with
more than 4 ACKs it also drops legimate P_ACK_V1.
See also this issue: https://github.com/schwabe/ics-openvpn/issues/1486
On big endian system, while store 32 bits and 16bits number in memory of UINT64 variable "tmp", first 4 bytes of it always be zero makes "cookie" and "size" always be zero, lead to udpaccel unusable.
