SoftEther VPN Developer Edition Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in SoftEther VPN Developer Edition versions through 5.2.5188. The issue allows an unauthenticated remote attacker to crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701). This action terminates all active VPN sessions. The vulnerability arises from improper handling of the EAP-TLS packet, where the server allocates memory based on an attacker-controlled length value without adequate bounds checking. As a result, the server process crashes, disrupting VPN services.

Impact

Exploitation of this vulnerability causes the vpnserver process to crash, terminating all active VPN sessions. While the process is automatically restarted by a watchdog, a sustained attack can lead to persistent denial-of-service conditions, with sessions dropped during each crash.

Reproduction

The vulnerability can be reproduced by sending approximately 11 UDP packets to port 1701, without the need for authentication. The first few packets establish an L2TP tunnel and session, followed by PPP negotiation packets. The attack is initiated by sending a crafted EAP-TLS response packet that includes an oversized TLS length value, which triggers the crash by causing a memory allocation error. This sequence can be automated to create a denial-of-service flood that persists as long as the vpnserver process is being restarted.

Remediation

Users are advised to add an upper bound check on the TLS length field in the 'PPPProcessEAPTlsResponse' function before the memory allocation call. Additionally, it is recommended to generate a random default IPsec pre-shared key at installation time instead of using the hardcoded default value.