Denial of Service Vulnerability in OpenVPN

    OpenVPN <2.3.6 detected a vulnerability that allows authenticated clients to remotely drop a VPN server, i.e. perform a denial of service attack.
    The vulnerability is the incorrect use of assert (): the server checks the minimum size of the control packet from the client with this function, which is why the server will crash if it receives a control packet of less than 4 bytes in length from the client.
    It should be noted that in order to carry out an attack, it is enough to establish communication through the control channel, i.e. in the case of TLS, the TLS exchange itself. VPN providers that implement authentication using a username / password and a common TLS key are vulnerable even before the login and password verification stage.

    Vulnerability exists in all versions of OpenVPN of the second branch, i.e. starting at least since 2005. The OpenVPN 3 branch on which mobile clients are based is not affected by this vulnerability.

    You should either upgrade to version 2.3.6, or patch it with your version of OpenVPN.

    Vulnerabilities assigned CVE-number CVE-2014-8104.

    Security Announcement with Vulnerability Description
    Forum Post
    Latest Version of OpenVPN

    Also popular now: