SoftEther VPN Users Beware of New Denial of Service Vulnerability

CVECVE-2023-23581
CVSScvssV3_1: 7.5
SourceCVE-2023-23581

SoftEther VPN is a popular open-source virtual private network (VPN) software. According to a new security advisory, versions 5.01.9674 and 5.02 of SoftEther VPN are affected by a denial-of-service vulnerability.

Attackers can exploit this vulnerability by crafting a specially malformed network packet and sending it to a vulnerable SoftEther VPN server. This would cause the server to stop responding or crash, disrupting VPN services for legitimate users.

The vulnerability exists in the EnSafeHttpHeaderValueStr functionality responsible for parsing HTTP header values in the vpnserver component. Malformed input passed to this function can overwhelm server resources and lead to a denial-of-service condition.

If you are a SoftEther VPN administrator, you should immediately update to the latest version to patch this vulnerability. Users should also check that their VPN servers have been updated. Following basic security practices like keeping software updated can help prevent exploitation.

While concerning, this vulnerability requires an attacker to directly target the vulnerable VPN server. General VPN users are not at high risk if their VPN provider acts quickly to apply the patch. But staying proactive about software updates remains important for online security and privacy.

References