From ba8a72b100a7526869acea79a4eeace5a2619b12 Mon Sep 17 00:00:00 2001 From: dswd Date: Fri, 1 Jul 2016 11:17:59 +0200 Subject: [PATCH] Created Security Advisories (markdown) --- Security-Advisories.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Security-Advisories.md diff --git a/Security-Advisories.md b/Security-Advisories.md new file mode 100644 index 0000000..95b5a77 --- /dev/null +++ b/Security-Advisories.md @@ -0,0 +1,16 @@ +# Advisory 1: Buffer-overflow in some unreleased intermediate versions between 0.1 and 0.2 + +## Summary +Some unreleased intermediate versions of VpnCloud between 0.1 and 0.2 contain a critical flaw that allows arbitrary code execution. + +## Details +When parsing the claimed address ranges contained in an `Init` message, the code first reads one byte that determines the size of the address and then it reads that many bytes into a buffer of 16 bytes without checking the length. +An attacker can exploit this to write up to 255 bytes in a 16 byte buffer and thereby overflowing the buffer by up to 239 bytes. The buffer is defined with fixed size and therefore allocated on the stack. +This flaw can be exploited using special-crafted UDP packets. If encryption is enabled, the attacker needs to be able to encrypt packets with the correct shared-key to exploit the flaw. + +## Severity: Critical +Exploiting the flaw to execute arbitrary code should be simple. Since the flaw can be triggered by UDP packets and the process is running with root privileges, the severity is to be considered critical. + +## Affected Versions +The bug was introduced on 2015-11-24 with commit [946e384](https://github.com/dswd/vpncloud.rs/commit/946e384660810c46d86ee859af5bbce11112ee5d) and fixed on 2015-11-26 with commit [f933c54](https://github.com/dswd/vpncloud.rs/commit/f933c541f88a4ae20008c1be37b55213ebe421b3) (without realizing the full severity). No released versions of VpnCloud were affected. +