CVE-2023-22308: 
SoftEther VPN Server vulnerability analysis and mitigation

An integer underflow vulnerability (CVE-2023-22308) was discovered in the vpnserver OvsProcessData functionality of SoftEther VPN versions 5.01.9674 and 5.02. The vulnerability was disclosed on October 12, 2023, and affects the OpenVPN protocol implementation in SoftEther VPN, a multi-platform VPN project that provides both server and client code to connect over various VPN protocols (Talos Report).

The vulnerability exists in the OpenVPN protocol handling of SoftEther VPN. When processing TCP packets, the server checks for packets starting with '\x00\x0E' to identify OpenVPN traffic. However, in subsequent iterations of packet processing, there's no validation of the packet format, allowing an attacker to send specially crafted packets that can trigger an integer underflow. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-191 (Integer Underflow) (Talos Report).

When successfully exploited, this vulnerability can lead to a denial of service condition in the VPN server. The attack can cause the server process to crash when attempting to read beyond the allocated buffer space, particularly when the payload hits the guard pages in Linux thread stacks (Talos Report).

A patch for this vulnerability was released by the vendor on April 17, 2023. Users are advised to upgrade to the latest version of SoftEther VPN. The fix was implemented through a pull request on the SoftEther VPN GitHub repository (Talos Report).