| 3 | | A critical denial of service security vulnerability (CVE-2014-8104, not public yet) affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released 1st Dec 2014 at around 18:00 UTC. |
| | 3 | In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical ''denial of service'' security vulnerability (CVE-2014-8104). The vulnerability allows an ''authenticated client'' to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only. |
| | 4 | |
| | 5 | A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release. |
| | 6 | |
| | 7 | == Scope of the vulnerability == |
| | 8 | |
| | 9 | This vulnerability affects all OpenVPN 2.x versions released since 2005. It is also possible that even older versions are affected. However, only ''server availability'' is affected. Confidentiality and authenticity of traffic are ''not'' affected. |
| | 10 | |
| | 11 | The OpenVPN 3.x codebase used in most OpenVPN Connect clients (Android, iOS) is not vulnerable and not used on the server-side. |
| | 12 | |
| | 13 | == Mitigating factors == |
| | 14 | |
| | 15 | Only ''authenticated'' clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. |
| | 16 | |
| | 17 | In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys. |
| | 18 | |
| | 19 | == Has OpenVPN been successfully exploited? == |
| | 20 | |
| | 21 | An OpenVPN server can be easily exploited (crashed) using this vulnerability by an authenticated client. However, we are not aware of this exploit being in the wild before we released a fixed version (2.3.6). |
| | 22 | |
| | 23 | == How do I fix this? == |
| | 24 | |
| | 25 | Simply install a patched version of OpenVPN. If you're using official releases then go for OpenVPN 2.3.6 or latest Git "master". If you're using OpenVPN from your operatings system's software repositories then install an updated version from them. |
| | 26 | |
| | 27 | If you're maintaining packages based on OpenVPN 2.2 you can get a backported patch from the Git repository's release/2.2 branch. |
| | 28 | |
| | 29 | == Is Access Server affected? == |
| | 30 | |
| | 31 | Yes. You should upgrade to the latest release as soon as possible, especially if you suspect some clients might be malicious. |
