JVN#64316789
Multiple vulnerabilities in SoftEther VPN and PacketiX VPN
Overview
SoftEther VPN provided by University of Tsukuba SoftEther VPN Project and PacketiX VPN provided by SoftEther Corporation contain multiple vulnerabilities in VPN Client function, and Dynamic DNS Client function included in the VPN server.
Products Affected
CVE-2023-27395, CVE-2023-22325
- SoftEther VPN 4.41 Build 9787 RTM and earlier
- SoftEther VPN 4.41 Build 9787 RTM and earlier
- Product version PacketiX VPN 4.41 Build 9787 RTM and earlier (Japan domestic sales only)
Description
SoftEther VPN provided by University of Tsukuba SoftEther VPN Project and PacketiX VPN provided by SoftEther Corporation contain multiple vulnerabilities listed below in VPN Client function, and Dynamic DNS Client function included in the VPN server.
- Heap-based buffer overflow (CWE-122) - CVE-2023-27395
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.1 CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P Base Score: 5.1 - Integer overflow or wraparound (CWE-190) - CVE-2023-22325
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 5.9 CVSS v2 AV:N/AC:H/Au:N/C:N/I:N/A:P Base Score: 2.6 - Exposure of resource to wrong sphere (CWE-668) - CVE-2023-32275
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Base Score: 4.4 CVSS v2 AV:L/AC:M/Au:S/C:P/I:N/A:N Base Score: 1.5 - Improper access control (CWE-284) - CVE-2023-27516
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.0 CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P Base Score: 5.1 - Channel accessible by non-endpoint (CWE-300) - CVE-2023-32634
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Base Score: 3.9 CVSS v2 AV:L/AC:M/Au:S/C:P/I:P/A:N Base Score: 3.0 - Use of uninitialized resource (CWE-908) - CVE-2023-31192
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 3.1 CVSS v2 AV:N/AC:H/Au:S/C:P/I:N/A:N Base Score: 2.1
Impact
- An attacker capable of conducting man-in-the-middle attacks may cause a denial-of-service (DoS) condition or execute an arbitrary code - CVE-2023-27395
- An attacker capable of conducting man-in-the-middle attacks may cause an infinite loop due to an integer overflow, resulting in a denial of service (DoS) condition - CVE-2023-22325
- An attacker authenticated as an administrator may obtain the starting address of a heap region - CVE-2023-32275
- In the VPN Client, an attacker may make an administrative connection if the remote administration feature is accidentally enabled without the password being set - CVE-2023-27516
- An attacker who can penetrate the computer on which the product is running may obtain and alter the communication between VPN Client Manager and VPN Client process - CVE-2023-32634
- When a specially crafted packet is sent to the VPN Client from the connection destination VPN Server prepared by an attacker, the attacker may obtain an uninitialized stack space value in the VPN Client process - CVE-2023-31192
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
Apply Workarounds
Applying the workarounds may mitigate the impacts of these vulnerabilities.
For the details, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| University of Tsukuba SoftEther VPN Project | SE202301: Security Advisory: CVE-2023-27395 etc: Fixed 6 vulnerabilities of SoftEther VPN in cooperation with Cisco Systems, Inc. |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Lilith of Cisco Talos of Cisco Systems, Inc., United States of America reported these vulnerabilities to the developer and coordinated. The developer reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-27395 |
|
CVE-2023-22325 |
|
|
CVE-2023-32275 |
|
|
CVE-2023-27516 |
|
|
CVE-2023-32634 |
|
|
CVE-2023-31192 |
|
| JVN iPedia |
JVNDB-2023-000069 |