CVE-2024-38520
📋 TL;DR
This CVE describes an amplification/reflection vulnerability in SoftEtherVPN when L2TP is enabled. Attackers can spoof source IPs to send small packets to vulnerable servers, which respond with larger packets, enabling DDoS attacks against third parties. Affects all SoftEtherVPN deployments with L2TP enabled.
💻 Affected Systems
- SoftEtherVPN
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Vulnerable server becomes unwitting participant in large-scale DDoS attacks against other targets, potentially causing service disruption and attracting legal/abuse complaints.
Likely Case
Server bandwidth consumed by amplification traffic, degraded VPN performance, and potential involvement in DDoS campaigns.
If Mitigated
Minimal impact if L2TP disabled or patched; server continues normal VPN operations.
🎯 Exploit Status
Exploitation requires no authentication and uses standard network protocols; amplification attacks are well-known techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.02.5185
Vendor Advisory: https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq
Restart Required: Yes
Instructions:
1. Download SoftEtherVPN version 5.02.5185 or later from official repository. 2. Stop SoftEtherVPN service. 3. Install/upgrade to patched version. 4. Restart SoftEtherVPN service.
🔧 Temporary Workarounds
Disable L2TP Protocol
allDisable L2TP functionality in SoftEtherVPN configuration to eliminate vulnerability.
Edit SoftEtherVPN server config and set 'bool DisableL2TP true' or use management tool to disable L2TP
🧯 If You Can't Patch
- Disable L2TP protocol in SoftEtherVPN configuration immediately
- Implement network ACLs to block L2TP traffic (UDP ports 500, 1701, 4500) from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check if SoftEtherVPN version is below 5.02.5185 AND L2TP is enabled in configuration.Check Version:
vpncmd /server localhost /cmd About (Windows) or vpncmd localhost /server /cmd About (Linux)Verify Fix Applied:
Verify SoftEtherVPN version is 5.02.5185 or higher using version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual L2TP connection attempts from spoofed IPs
- High volume of L2TP traffic
Network Indicators:
- Unexpected outbound traffic spikes on UDP ports 500/1701/4500
- Asymmetric traffic patterns (small inbound, large outbound)
SIEM Query:
source_port IN (500, 1701, 4500) AND protocol=UDP AND bytes_out > 1000 AND bytes_in < 100🔗 References
- https://github.com/SoftEtherVPN/SoftEtherVPN/commit/c2a7aa548137dc80c6aafdc645cf4dc34e0dc764
- https://github.com/SoftEtherVPN/SoftEtherVPN/releases/tag/5.02.5185
- https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq
- https://github.com/SoftEtherVPN/SoftEtherVPN/commit/c2a7aa548137dc80c6aafdc645cf4dc34e0dc764
- https://github.com/SoftEtherVPN/SoftEtherVPN/releases/tag/5.02.5185
- https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq
