PT-2013-1236 · Openconnect+1 · Openconnect+1

Kevin Cernekee

Published

2013-02-24

Updated

2024-06-15

CVE-2012-6128

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions OpenConnect versions prior to 4.08

Description The issue is related to multiple stack-based buffer overflows in the http.c file of OpenConnect. These overflows can be triggered by remote VPN gateways sending responses with long hostnames, paths, or cookie lists, leading to a denial of service in the form of an application crash. The vulnerability can be exploited remotely and may result in the disruption of protected information availability.

Recommendations For OpenConnect versions prior to 4.08, update to version 4.08 or later to resolve the issue. As a temporary workaround, consider restricting the length of hostnames, paths, and cookie lists in responses from remote VPN gateways to prevent the buffer overflows.

Fix

DoS

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2014-1311

BDU:2015-09725

CVE-2012-6128

DSA-2623-1

OPENSUSE-SU-2024:10553-1

Affected Products

Alt Linux

Openconnect

PT-2013-1236 · Openconnect+1 · Openconnect+1

CVE-2012-6128

Weakness Enumeration

Related Identifiers

Affected Products

References · 26