Your OpenVPN server might be at risk

bigcat · Dec 2, 2014

In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical denial of service security vulnerability (CVE-2014-8104). The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.

A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release.

An OpenVPN server can be easily exploited (crashed) using this vulnerability by an authenticated client

How to fix?

Simply install a patched version of OpenVPN. If you're using official releases then, go for OpenVPN 2.3.6 or latest Git "master". If you're using OpenVPN from your operating system's software repositories then install an updated version from them.

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

HalfEatenPie · Dec 2, 2014

Hm interesting news.

Any information if they're going to update the repos?

SentinelTower · Dec 2, 2014

It seems that the debian repo has been updated for wheezy (security):

https://security-tracker.debian.org/tracker/CVE-2014-8104

rds100 · Dec 2, 2014

The key here is "by authenticated client". I.e. your personal private OpenVPN server is not at risk.

D. Strout · Dec 2, 2014

rds100 said:
The key here is "by authenticated client". I.e. your personal private OpenVPN server is not at risk.

Good to know.

Your OpenVPN server might be at risk

bigcat

Member

HalfEatenPie

The Irrational One

SentinelTower

New Member

rds100

New Member

D. Strout

Resident IPv6 Proponent