Vigil@nce - OpenVPN: clear text disclosure via the HMAC comparison
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can measure the response time of an OpenVPN server, in
order to decrypt a few bytes.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 07/05/2013
DESCRIPTION OF THE VULNERABILITY
The openvpn_encrypt() function of the openvpn/crypto.c file
computes a HMAC (keyed-hash message authentication code) and
compares it with the one sent by the client. If the HMAC is
invalid, the OpenVPN server closes the session.
The HMAC comparison is done with the memcmp() function. This
function is optimized, and stops as soon as a different byte is
found. However, the difference of comparison duration can be used
to predict data.
An attacker can therefore measure the response time of an OpenVPN
server, in order to decrypt a few bytes. Three hours are required
to decrypt one byte.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenVPN-clear-text-disclosure-via-the-HMAC-comparison-12760