There are 11 vulnerabilities on SoftEther VPN. There vulnerabilities are found by the source code audit process conducted by Max Planck Institute for Molecular Genetics andMr. Guido Vranken in late 2017. This build fixes all of these vulnerabilities.
7 missing memory boundaries checks and similar memory problems. There are no risk of arbitrary code execution or intrusion on these bugs in my analysis. However, these problems may lead to crash the running server process. So these bugs must be fixed.
- Buffer overread in ParseL2TPPacket()
- Memory corruption in IcmpParseResult
- Missing bounds check in ParseUDP() can lead to invalid memory access
- Out-of-bounds read in IPsec_PPP.c (unterminated string buffer)
- Overlapping parameters to memcpy() via StrToIp6()
- PACK ReadValue() crash vulnerability
- Potential use of uninitialized memory via IPToInAddr6()
4 memory leaks. While the amount of leakage is very small per time, these bugs can finally cause process crash by out of memory. So these bugs must be fixed.
- Memory leak in NnReadDnsRecord
- Memory leak in RadiusLogin()
- Memory leak via ParsePacketIPv4WithDummyMacHeader
- Remote memory leak in OpenVPN server code
1 coding improvement. This is not a bug, however, I fixed the code to avoid furture misunderstanding.
- RecvAll can return success on failure (leading to use of uninitialized memory)
Contributors for this bugfix:
- Max Planck Institute for Molecular Genetics
- Mr. Guido Vranken
Also, this build has the following improvements:
- Fix a bug in the Win32EnumDirExW() function.
- Add the Alternative subject name field on the new X.509 certificate creation.
SoftEther VPN 4.24 Build 9652 Beta (December 21, 2017)
Fixed the bug which occurs the L2TP/IPsec connection error with Android Oreo on the Build 9647 and 9651.
Added the function to save the DNS query log on the packet logs.
SoftEther VPN 4.24 Build 9651 Beta (October 23, 2017)
Fixed the bug on the OpenVPN Server function in Build 9647.
SoftEther VPN 4.23 Build 9647 Beta (October 18, 2017)
Upgraded OpenSSL to 1.0.2l.
Source code is now compatible with OpenSSL 1.1.x. Supports DHE-RSA-CHACHA 20-POLY 1305 and ECDHE-RSA-CHACHA 20-POLY 1305, which are new encryption methods of TLS 1.2. (In order to use this new function, you need to recompile yourself using OpenSSL 1.1.x.)
TrafficServer / TrafficClient function (The traffic throughput measurement function) is now multithreaded and compatible with about 10 Gbps using NIC with the RSS feature.
Changed the default algorithm for SSL from RC4-MD5 to AES128-SHA.
Fixed a bug that occurr wrong checksum recalculation in special case of the TCP-MSS clamp processing.
Fixed the calculation interval of update interval of DHCP client packet issued by kernel mode virtual NAT function of SecureNAT function.
Driver upgrade and DLL name change with Crypto ID support of USB security token.
Fixed a problem that CPU sleep processing was not performed when the wait time of the Select() function was INFINITE on Mac OS X.
Added the StrictSyslogDatetimeFormat flag onto the ServerConfiguration section on the VPN Server configuration file, which sets Syslog date format to RFC3339.
Fixed wrong English in the UI.
Using client parameter in function CtConnect
Remove blank line at the start from init file (Debian)
Stop Radius Delay from counting to next_resend
Add DH groups 2048,3072,4096 to IPSec_IKE
Add HMAC SHA2-256, HMAC SHA2-384, HMAC SHA2-512 support
Openvpn extend ciphers
Fixed RSA key bits wrong calculation for certain x509 certificate
Added support for RuToken USB key PKCS#11
OpenSSL 1.1 Port
SoftEther VPN 4.22 Build 9634 Beta (November 27, 2016)
Added the support for TLS 1.2. Added TLS 1.2-based cipher sets: AES128-GCM-SHA256, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384.
Added the function to allow to configure specific TLS versions to accept / deny. In the VPN Server configuration file you can set Tls_Disable1_0, Tls_Disable1_1 and Tls_Disable1_2 flags to true to disable these TLS versions individually.
Added the support for TLS 1.2 on the OpenVPN protocol.
Updated the version of OpenSSL to 1.0.2j.
Added the support for Windows Server 2016.
Fixed the 2038-year problem.
Added the support for recording HTTPS destination hostnames, using SNI attributes, on the packet logging function.
Added the function to append the name of Virtual Hub into the "Called-Station-ID (30)" attribute value in the RADIUS authentication request packet.
Improved the behavior of Virtual Layer-3 switches. The interval of ARP request is set to 1 second.
Fixed the problem of the slow startup of VPN Server in Windows 10.
Added the support for 4096 bits RSA authentication with smart cards.
Added the support for the CryptoID USB token.
Fixed the UI string resource in English.
Fix that ParseTcpOption doesn't work correctly
Add LSB header
Support Debian package build on aarch64 architecture
Support Debian package build on ARMv7l architecture
cppcheck issues
Default to TLS connections only
Allow specific SSL/TLS versions to be disabled
Adding Radius AVP Called-Station-Id
Fixed typo
Update CentOS makefiles and spec file
Systemd service configuration files for SoftEther
Fix set initialization, set.OnlyCapsuleModeIsInvalid could be garbage
Fixed OSX CPU utilization by replacing broken kevent() with select()
Add the possibility to send the Virtual Hub Name to an external DHCP server
Added armv5tel for debian/rules and made pushed routes work correct with OpenVPN
fix LogFileGet won't save to SAVEPATH
Fix for Debian Package
Try to autodetect OS and CPU instead of requiring user input
Support For Radius Realm
SoftEther VPN 4.21 Build 9613 Beta (April 24, 2016)
Added SoftEther VPN Server Manager for Mac OS X.
Now you can manage your SoftEther VPN Server, running remotely, from your Mac in local.
SoftEther VPN 4.20 Build 9608 RTM (April 18, 2016)
All cumulative updates below are included.
Fixed a minor English typo.
SoftEther VPN 4.19 Build 9605 Beta (March 3, 2016)
The version of OpenSSL is updated to 1.0.2g to fix the vulnerability which was published in March 2016. SSLv2 is now disabled completely.
Fixed a multi-byte character problem in the certificate generating tool.
Enable the cache of the destination IP address of the additional TCP connection for a VPN session.
SoftEther VPN 4.19 Build 9599 Beta (October 19, 2015)
Fixed the problem that an unnecessary "Insert disk" dialog box appears when installing VPN Server or VPN Bridge on Windows 10.
Added the "/NOHUP" parameter in the "TrafficServer" command of vpncmd.
Added the "/REDIRECTURL" parameter in some access list commands of vpncmd.
Added the virtual address check routines in kernel-mode drivers to prevent blue screen or invalid memory access. Previous versions of kernel-mode drivers did not check the virtual addresses from the user-mode. (NOTE: All kernel-mode drivers are protected by ACL to avoid privilege escalation in all previous versions. Only users with Administrator privileges were able to cause blue screen or invalid memory access by passing invalid addresses from the user-mode. Therefore this was not a security flaw.) Appreciate Meysam Firozi's contribution to report the similar problem in the Win10Pcap driver.
SoftEther VPN 4.19 Build 9582 Beta (October 6, 2015)
Dramatically improvement of the performance of the Virtual NAT function of SecureNAT in Linux. In the previous versions of SoftEther VPN, the SecureNAT performance was very slow in the specific situation that the Linux Virtual Machine (VM) is running with virtual Ethernet interfaces which are prohibited to enable the promiscuous mode (this problem has been frequently appeared on cloud servers such like Amazon EC2/AWS or Windows Azure). In such a situation, SecureNAT must use the user-mode TCP/IP stack simulation and it was very slow and had high latency. This version of SoftEther VPN Server adds the new "RAW IP Mode" in the SecureNAT function. The RAW IP Mode is enabled by default, and is effective only if the VPN Server process is running in the root privileges. In the RAW IP Mode, the SecureNAT function realizes to transmit and receive TCP, UDP and ICMP packets which headers are modified. This behavior realizes drastically improved performance than legacy user-mode SecureNAT in the previous versions. In order to avoid the misunderstanding of receiving packets which are towards to the Virtual NAT function, some packet filter rules are automatically added to the iptables chain list. You can disable the RAW IP Mode by setting the "DisableIpRawModeSecureNAT" value to "1" on the Virtual Hub Extending Options.
Improved the performance of the Kernel-mode SecureNAT.
Improved the stability of the L2TP VPN sessions on the network with heavy packet-losses.
Added the compatibility with Cisco 800 series routers (e.g. Cisco 841M) on the L2TPv3 over IPsec protocol. These new Cisco routers have modified L2TPv3 header interpreter. Therefore SoftEther VPN Server needed to add new codes to support these new Cisco routers.
Added the support the compatibility to YAMAHA RTX series routers on the L2TPv3 over IPsec protocol.
Added the support for EAP and PEAP. SoftEther VPN Server can now speak RFC3579 (EAP) or Protected EAP (PEAP) to request user authentications to the RADIUS server with the MS-CHAPv2 mechanism. If this function is enabled, all requests from L2TP VPN clients which contain MS-CHAPv2 authentication data will be converted automatically to EAP or PEAP when it is transferred to the RADIUS server. You must enable this function manually for each of Virtual Hubs. To enable the function converting from MS-CHAPv2 to EAP, set the "RadiusConvertAllMsChapv2AuthRequestToEap" value to "true" in the vpn_server.config. To enable the functin converting from MS-CHAPv2 to PEAP, set both "RadiusConvertAllMsChapv2AuthRequestToEap" and "RadiusUsePeapInsteadOfEap" options to "true".
SoftEther VPN 4.19 Build 9578 Beta (September 15, 2015)
Solved the problem that kernel mode drivers do not pass the general tests of "Driver Verifier Manager" in Windows 10.
SoftEther VPN 4.18 Build 9570 RTM (July 26, 2015)
Compabible with Windows 10.
Solved the problem that the customized language setting on the "lang.config" file.
config sometimes corrupts in the rare condition.
SoftEther VPN 4.17 Build 9566 Beta (July 16, 2015)
Improved stability with Windows 10 Beta.
Updated the OpenSSL library to 1.0.2d.
SoftEther VPN 4.17 Build 9562 Beta (May 30, 2015)
Added supports for Windows 10 Technical Preview Build 10130.
Increased the maximum Ethernet frame size from 1560 bytes to 1600 bytes.
Fixed the compiler error while building the source code of SoftEther VPN on Windows.
Added memory tags on the memory allocation function calls in kernel-mode device drivers.
Fixed the freeze problem of the VPN Client that the computer enters to suspend or hibernation state while the VPN Client is connected to the VPN Server.
Windows-version executable and driver files are now signed by the SHA-256 digital code-sign certificate.
SoftEther VPN 4.15 Build 9546 Beta (April 5, 2015)
Fixed the problem that the Local Bridge function does not work correctly on Windows 10 Technical Preview Build 10049.
SoftEther VPN 4.15 Build 9539 Beta (April 4, 2015)
Add the code to instruct the VPN Client to disconnect the VPN session automatically when Windows is being suspending or hibernating.
SoftEther VPN 4.15 Build 9538 Beta (March 27, 2015)
Fixed the dialog-box size problem on Windows 10 Technical Preview Build 10041.
SoftEther VPN 4.15 Build 9537 Beta (March 26, 2015)
Upgraded built-in OpenSSL from 0.9.8za to 1.0.2a. Please note that this change has not been well-tested. This upgrading of OpenSSL might cause problems.
»» Нажмите, для закрытия спойлера | Press to close the spoiler «« полный набор под все платформы ( Windows, MacOS, Linux, FreeBSD, Solaris) и аппаратные архитектуры