CVE-2023-31192: 
SoftEther VPN Server vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-31192) exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. The vulnerability allows a specially crafted network packet to lead to disclosure of sensitive information through a man-in-the-middle attack. The issue was discovered by Lilith of Cisco Talos and was publicly disclosed on October 12, 2023, with a CVSS v3.1 base score of 5.3 (Medium) (Talos Report, NVD).

The vulnerability exists in the ClientConnect() functionality when handling redirection responses for the clustering (load balancing) feature. When the VPN Client connects to an untrusted VPN Server, an invalid redirection response can cause 20 bytes of uninitialized stack space to be read. The issue occurs because if the redirection response packet doesn't contain a Ticket value, the UCHAR ticket[20] variable remains uninitialized, and its contents are then sent to the destination VPN Server during the connection process (SoftEther Advisory).

The vulnerability allows an attacker to obtain the contents of an uninitialized 20-byte variable from the VPN Client. While the contents of uninitialized variables are typically unpredictable and may not contain useful information, there is a theoretical possibility that fragments of confidential information (such as authentication information or heap memory addresses) could accidentally overlap with the 20-byte area, potentially exposing sensitive data to the attacker (SoftEther Advisory).

The vulnerability was patched in the release of SoftEther VPN 4.42 Build 9798 RTM on June 30, 2023. The fix implements proper initialization of the variable to prevent the disclosure of uninitialized stack memory (SoftEther Advisory).