FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenVPN -- HMAC verification on source IP address ineffective

Affected packages
openvpn < 2.6.16
openvpn-devel < g20251117,1

Details

VuXML ID 17a40d76-c3fd-11f0-b513-0da7be77c170
Discovery 2025-10-27
Entry 2025-11-17

Arne Schwabe reports:

Fix memcmp check for the hmac verification in the 3way handshake being inverted This is a stupid mistake but causes all hmac cookies to be accepted, thus breaking source IP address validation. As a consequence, TLS sessions can be openend and state can be consumed in the server from IP addresses that did not initiate an initial connection.

While at it, fix check to only allow [t-2;t] timeslots, disallowing HMACs coming in from a future timeslot.

[source]

References

CVE Name CVE-2025-13086
URL https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.