CVE-2016-6329

Description

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack.

How to fix CVE-2016-6329

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/openvpn—no fix listed

Is CVE-2016-6329 being exploited?

Moderate — EPSS is 5.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6329