OpenVPN has patched a denial-of-service vulnerability which authenticated users could trigger by sending malicious packets.
The flaw (CVE-2014-8104) is most hurtful to VPN service providers and was reported by researcher Dragana Damjanovic to OpenVPN last month.
Maintainers said in an advisory issued this morning that the flaw affected versions back to at least 2005 and allowed TLS-authenticated clients to crash the server by sending a too-short control channel packet to the server.
“In other words this vulnerability is denial of service only,” they said.
“An OpenVPN server can be easily crashed using this vulnerability by an authenticated client. However, we are not aware of this exploit being in the wild before we released a fixed version.
“Confidentiality and authenticity of traffic are not affected.”
The impact of the vulnerability was reduced since attackers had to be authenticated clients meaning client certificates and TLS would be sufficent safety provided trusted machines were not popped.
VPN service providers and other servers using the ‘client-cert-not-required’ and username/password access were exposed since all users could acquire client certificates and TLS authentication keys.
“The first fixed, non-vulnerable version is 2.0.11 – you should upgrade to it as soon as possible, especially if you suspect some clients might be malicious,” the maintainers said.
The OpenVPN 3.x codebase used in most OpenVPN Connect clients on Android and iOS was not vulnerable.
A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release.