SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function. NOTE: the Supplier disputes this because the behavior only enables a local user to attack himself through the UI,
The error is a buffer overflow (CWE-120) in the UniToStrForSingleChars function found in the Internat.c file. The overflow can be triggered by Unicode string operations performed by this function. The software vendor stipulates that the attack vector is exclusively the local user interface, which limits the realistic scope of the vulnerability — a remote attacker without local account access cannot directly trigger this error.
In theory, successful buffer overflow exploitation could lead to process hijacking, data exposure in memory, or application instability. However, the vendor indicates that in practice, the consequences are limited to the local user's own environment using the graphical interface.
Apply patches available from the vendor according to references. It is advisable to monitor the vendor's official channel for updates. As additional precautions, restrict local access to workstations with SoftEther VPN installed exclusively to trusted users.
SoftEther VPN version 5.02.5187
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSoftether Vpn
APPSoftether5.02.5187
Related vulnerabilities
Buffer Overflow w SoftEther VPN – funkcje PtMakeCert i PtMakeCert2048
Use-after-free w SoftEther VPN 5.02.5187 – Command.c (CheckNetworkAcceptThread)
A heap-based buffer overflow vulnerability exists in the vpnserver WpcParsePacket() functionality of SoftEther...
A denial-of-service vulnerability exists in the vpnserver EnSafeHttpHeaderValueStr functionality of SoftEther ...
A denial-of-service vulnerability exists in the vpnserver ConnectionAccept() functionality of SoftEther VPN 5....