OpenVPN 2.7.5 was released today as the latest update to the widely used open-source VPN solution, addressing seven CVE-tracked vulnerabilities, including use-after-free bugs, memory leaks, buffer handling issues, and crashes affecting servers or clients under specific configurations.
Among the most notable fixes is a Windows-specific issue in openvpnserv where certain combinations of DNS configuration options and local DNS settings could cause DNS SearchList state pollution during connect and disconnect operations.
OpenVPN 2.7.5 also fixes two separate use-after-free vulnerabilities. The first affects ack_write_buf() and could be triggered by a carefully timed sequence of control-channel and authentication packets. The second affects tls_wrap_reneg() and involves a suitable sequence of dynamic tls-crypt control-channel packets.
Another important server-side fix addresses a crash that could occur when a malformed auth-token is received while --auth-gen-token external-auth is enabled. The release also resolves two tls-crypt-v2 memory leak issues that could cause out-of-memory situations and server crashes.
On top of that, the security fixes include a correction for a possible one-byte buffer overrun in NTLMv2 proxy responses.
Beyond the CVE fixes, OpenVPN 2.7.5 includes several additional bug fixes. On Windows, it fixes a plugin trusted-directory check prefix bypass, though the project notes it was not classified as a security vulnerability because exploitation would require administrator privileges or social engineering.
The update also reworks parts of openvpnserv’s DNS domain conversion handling and fixes a use-after-free issue involving DNS options on client connect. In server configurations using --dns or --dhcp-option DNS options locally, this could trigger a double free and crash the server.
Other fixes improve multi-socket UDP event handling, address a memory leak in DNS server address parsing when too many server addresses are configured, and correct port-share behavior with multiple sockets. The release also fixes an issue where incoming tls-crypt-v2 RESET packets on different sockets could cause replies to be sent to the wrong client IP or through an unsuitable socket.
Finally, OpenVPN 2.7.5 ensures a pushed tun-mtu value cannot go below TUN_MTU_MIN, preventing a server from pushing options that could cause the client to assert. On Windows, the socket handling code now checks buffer length before reading a prepended sockaddr family, avoiding a possible overread if the Windows DCO driver misbehaves.
For additional details, see the changelog.
