VyOS Networks Blog

Building an open source network OS for the people, together.

CVE-2014-4607

Daniil Baturin
Posted 27 Jun, 2014

There is a vulnerability in LZO implementation discovered recently.

The only network available VyOS components (to my knowledge) where it’s used are IPsec and OpenVPN that use it for data compression. Compression is performed before encryption, so this is probably not exploitable for a man in the middle. If you are dealing with untrusted remove side of the VPN, probably better to turn compression off.

We will look into providing a hotfix for it for 1.0.4

The post categories:

Comments