An attacker controlling an HTTP proxy (or performing MITM on the plaintext pre-TLS proxy connection) can trigger a single 0-byte overrun to a buffer on the stack by sending a crafted NTLM Type 2 challenge response.
The effects of this depend on memory layout, but could possibly lead to a crashing OpenVPN client. Reported-by: Tristan Madani (@TristanInSec) CVE: 2026-11771 Github: OpenVPN/openvpn-private-issues#116 Change-Id: Iac54e6772b2c26a09227fd638d24d6e2aa35cec6 Signed-off-by: Gert Doering <[email protected]> Acked-by: Arne Schwabe <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.7. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1713 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <[email protected]> diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 244ee94..9c4edf9 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -317,7 +317,7 @@ if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ - if (tib_len + 0x1c + 16 > sizeof(ntlmv2_response)) + if (tib_len + 0x1c + 16 >= sizeof(ntlmv2_response)) { msg(M_WARN, "NTLM: target information buffer too long for response (len=%d)", tib_len); return NULL; _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
