OpenVPN has patched a critical denial of service (DoS) vulnerability which could allow authenticated clients to crash servers running the open source VPN.
The flaw, recorded as CVE-2014-8104, was first discovered late last month by researcher Dragana Damjanovic, who warned that it allows a TLS-authenticated client to crash OpenVPN servers “by sending a too-short control channel packet to the server,” according to a security announcement.
The vulnerability apparently affects all OpenVPN 2.x versions released since 2005, but not the OpenVPN 3.x codebase used in most OpenVPN Connect clients.
“It is also possible that even older versions are affected. However, only server availability is affected. Confidentiality and authenticity of traffic are not affected,” it added.
OpenVPN said it had released a fixed version, 2.3.6, but reassured users that it had not thus far seen the flaw being exploited in the wild. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3.
The advisory continued:
“Only TLS-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.
In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys.”
Access server versions earlier than 2.0.11 are also vulnerable. OpenVPN urged admins to upgrade to 2.0.11 or higher as soon as possible “especially if you suspect some clients might be malicious.”
OpenVPN Technologies, the privately-held Californian firm that runs the open source virtual private network platform, claims over three million downloads of the product since its inception in 2002.