CVE-2023-25774: 
SoftEther VPN Server vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2023-25774) was discovered in SoftEther VPN 5.02's vpnserver ConnectionAccept() functionality. The vulnerability was disclosed on October 12, 2023, affecting SoftEther VPN versions 5.01.9674 and 5.02. SoftEther is a multi-platform VPN project that provides both server and client code to connect over various VPN protocols, including Wireguard, PPTP, SSTP, and L2TP (Talos Report).

The vulnerability exists in the way the VPN server handles TCP connections. The server accepts and parses HTTP connections by default on TCP ports 443, 992, 1194, and 5555. The issue occurs when the Cedar object, which is shared between all threads within the SoftEtherVPN server, becomes contested due to multiple threads attempting to acquire c->Cedar->lock. The CVSS v3.1 score is 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (Talos Report).

When exploited, the vulnerability can cause an ever-increasing number of threads waiting for the lock, leading to the Server thread dying and being respawned, and killing all existing VPN connections. Once the server reaches approximately 32,657 threads, memory becomes sparse and triggers an Abort() call. Although the SoftEther vpnserver network service will restart as it runs as a service, the speed at which it can be continuously killed makes it effective for denial of service attacks (Talos Report).

The vulnerability has been patched by the vendor. A fix was released on September 28, 2023, through a pull request on Github: https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1911. Users are advised to update to the latest version of SoftEther VPN (Talos Report).