In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical denial of service security vulnerability (CVE-2014-8104). The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.

A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release.

Scope of the vulnerability

This vulnerability affects all OpenVPN 2.x versions released since 2005. It is also possible that even older versions are affected. However, only server availability is affected. Confidentiality and authenticity of traffic are not affected.

The OpenVPN 3.x codebase used in most OpenVPN Connect clients (Android, iOS) is not vulnerable and not used on the server-side.

Mitigating factors

Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.

In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys.

Has OpenVPN been successfully exploited?

An OpenVPN server can be easily exploited (crashed) using this vulnerability by an authenticated client. However, we are not aware of this exploit being used in the wild before we released a fixed version (2.3.6).

How do I fix this?

Simply install a patched version of OpenVPN. If you're using official releases then, go for OpenVPN 2.3.6 or latest Git "master". If you're using OpenVPN from your operating system's software repositories then install an updated version from them.

If you're maintaining packages based on OpenVPN 2.2 you can get a backported patch from the Git repository's release/2.2 branch.

Is Access Server affected?

Access Server versions prior to 2.0.11 are vulnerable. The first fixed, non-vulnerable version is 2.0.11 - you should upgrade to it as soon as possible, especially if you suspect some clients might be malicious.

Last modified 8 years ago Last modified on 12/02/14 03:50:47