A security audit of the widely used SoftEther VPN open source VPN
client and server software [1] has uncovered 11 remote security
vulnerabilities. The audit has been commissioned by the Max Planck
Institute for Molecular Genetics [2] and performed by Guido Vranken
[3]. The issues found range from denial-of-service resulting from
memory leaks to memory corruption.
The 80 hour security audit has relied extensively on the use of
fuzzers [4], an approach that has proven its worth earlier with the
discovery of several remote vulnerabilities in OpenVPN in June of 2017
[5]. The modifications made to the SoftEther VPN source code to make
it suitable for fuzzing and original code written for this project are
open source [6]. The work will be made available to Google’s OSS-Fuzz
initiative [7] for continued protection of SoftEther VPN against
security vulnerabilities. An updated version of SoftEther VPN that
resolves all discovered security vulnerabilities is available for
download immediately [8].
[1] https://www.softether.org/
[2] https://www.molgen.mpg.de/2168/en
[3] https://guidovranken.wordpress.com/
[4] https://en.wikipedia.org/wiki/Fuzzing
[5] https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
[6] https://github.com/guidovranken/SoftEtherVpn-Fuzz-Audit
[7] https://github.com/google/oss-fuzz/blob/master/README.md
[8] http://www.softether.org/5-download/history
Guido Vranken 