On Tue, May 12, 2015 at 7:27 AM, Lisa Minogue <lmino...@mail.be> wrote:
> Can I conclude from your above statements that applying obfuscation > patches to the standard OpenVPN client software may actually introduce > security vulnerabilities? > The openvpn_xorpatch <https://github.com/clayface/openvpn_xorpatch/blob/master/openvpn_xor.patch> which as introduced and discussed in this thread <https://forums.openvpn.net/topic12605.html> does have some vulnerabilities See Tunnelblick openvpn_xorpatch <https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch> for a further discussion of the patch. Most of the vulnerabilities are null pointer dereferences or other errors when parsing the "scramble" option or are triggered by unlikely values for its parameters. However, one is a potential buffer overflow which can occur while the VPN is active and could potentially be triggered by carefully constructed traffic.