Access Server Security Update (CVE-2023-46849, CVE-2023-46850)

Description:

OpenVPN Access Server uses the OpenVPN 2 codebase at its core for VPN connections. OpenVPN Access Server versions 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, and 2.12.1 contain a copy of OpenVPN 2.6 that has two vulnerabilities in it. The first is a division by zero crash, the second a use after free memory security issue. 

The division by zero crash is not very easily exploitable on Access Server because the default configuration that it comes with does not include the --fragment option, and control channel security helps to make it harder to exploit. It is however possible that people use the --fragment option, and under certain circumstances it is still possible to trigger this crash. The use after free memory security issue is a more serious one as there is the potential for leaking sensitive information from memory.

We therefore strongly recommend that if you use OpenVPN Access Server 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, or 2.12.1, that you upgrade to the latest version of Access Server to address these vulnerabilities. Version 2.12.2 and newer contain the fix for these vulnerabilities.

Resolution:

Update your OpenVPN Access Server to the latest version as soon as possible, which contains the fixes for these vulnerabilities. Version 2.12.2 and newer contain the fix for these vulnerabilities. The procedure on how to upgrade Access Server can be found here: Keeping OpenVPN Access Server Updated. The CVEs we published for this are CVE-2023-46849 and CVE-2023-46850.