Upstream information

CVE-2013-2061 at MITRE

Description

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 2.57
Vector AV:N/AC:H/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
SUSE Bugzilla entry: 843509 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP2
  • openvpn >= 2.0.9-143.33.3.1
Patchnames:
sledsp2-openvpn
SUSE Linux Enterprise Desktop 11 SP3
  • openvpn >= 2.0.9-143.40.5
Patchnames:
sledsp3-openvpn
SUSE Linux Enterprise Server 11 SP2
  • openvpn >= 2.0.9-143.33.3.1
  • openvpn-auth-pam-plugin >= 2.0.9-143.33.3.1
Patchnames:
slessp2-openvpn
SUSE Linux Enterprise Server 11 SP3
  • openvpn >= 2.0.9-143.40.5
  • openvpn-auth-pam-plugin >= 2.0.9-143.40.5
Patchnames:
slessp3-openvpn
SUSE Linux Enterprise Server for VMWare 11 SP2
  • openvpn >= 2.0.9-143.33.3.1
  • openvpn-auth-pam-plugin >= 2.0.9-143.33.3.1
Patchnames:
slessp2-openvpn
SUSE Linux Enterprise Server for VMWare 11 SP3
  • openvpn >= 2.0.9-143.40.5
  • openvpn-auth-pam-plugin >= 2.0.9-143.40.5
Patchnames:
slessp3-openvpn
SUSE Linux Enterprise Desktop 11 SP3
  • openvpn >= 2.0.9-143.40.5
Builds
SAT Patch Nr: 8493
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
  • openvpn >= 2.0.9-143.40.5
  • openvpn-auth-pam-plugin >= 2.0.9-143.40.5
Builds
SAT Patch Nr: 8493
SUSE Linux Enterprise Desktop 11 SP2
  • openvpn >= 2.0.9-143.33.3.1
Builds
SAT Patch Nr: 8496
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP2 for VMware
  • openvpn >= 2.0.9-143.33.3.1
  • openvpn-auth-pam-plugin >= 2.0.9-143.33.3.1
Builds
SAT Patch Nr: 8496
openSUSE 12.3
  • openvpn >= 2.2.2-9.5.1
  • openvpn-auth-pam-plugin >= 2.2.2-9.5.1
  • openvpn-auth-pam-plugin-debuginfo >= 2.2.2-9.5.1
  • openvpn-debuginfo >= 2.2.2-9.5.1
  • openvpn-debugsource >= 2.2.2-9.5.1
  • openvpn-down-root-plugin >= 2.2.2-9.5.1
  • openvpn-down-root-plugin-debuginfo >= 2.2.2-9.5.1
Patchnames:
openSUSE-2013-823
openSUSE Evergreen 11.4
  • openvpn >= 2.1.4-11.34.1
  • openvpn-auth-pam-plugin >= 2.1.4-11.34.1
  • openvpn-auth-pam-plugin-debuginfo >= 2.1.4-11.34.1
  • openvpn-debuginfo >= 2.1.4-11.34.1
  • openvpn-debugsource >= 2.1.4-11.34.1
  • openvpn-down-root-plugin >= 2.1.4-11.34.1
  • openvpn-down-root-plugin-debuginfo >= 2.1.4-11.34.1
Patchnames:
2013-157