CVE-2023-32275: 
SoftEther VPN Server vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-32275) exists in the CtEnumCa() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. This vulnerability allows disclosure of sensitive information through specially crafted network packets. The vulnerability was discovered by Lilith of Cisco Talos and was publicly disclosed on October 12, 2023 (Talos Report, Vendor Advisory).

The vulnerability exists in the SoftEther VPN client's RPC server functionality. When the EnumCa command is executed, the system exposes heap addresses of CA certificates through the Key member of RPC_CLIENT_ENUM_CA_ITEM struct. On 32-bit systems, the actual heap address is directly exposed, while on 64-bit systems, a hash of the address is revealed. The vulnerability has a CVSS v3.1 score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Talos Report).

The vulnerability allows an authenticated administrator to view the heap addresses of trusted CA certificates in the VPN process. While this information disclosure is limited to administrators with legitimate access, it could potentially be used to infer the heap state of the process without memory dumping. This is particularly significant in 32-bit versions where actual heap addresses are exposed (Vendor Advisory).

The vendor has addressed this vulnerability by implementing a random number seed specific to the process instance when generating unique enumeration identifiers from heap addresses. This modification makes it difficult to create rainbow tables for both 32-bit and 64-bit versions. Users should upgrade to SoftEther VPN versions newer than 4.41-9782-beta and 5.01.9674 (Vendor Advisory).