Changes between Version 3 and Version 4 of SecurityAnnouncement-97597e732b


Ignore:
Timestamp:
12/01/14 18:50:47 (9 years ago)
Author:
Steffan Karger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SecurityAnnouncement-97597e732b

    v3 v4  
    11= Introduction =
    22
    3 In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical ''denial of service'' security vulnerability (CVE-2014-8104). The vulnerability allows an ''authenticated client'' to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.
     3In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical ''denial of service'' security vulnerability (CVE-2014-8104). The vulnerability allows an ''tls-authenticated client'' to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.
    44
    55A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release.
     
    1313== Mitigating factors ==
    1414
    15 Only ''authenticated'' clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious.
     15Only ''tls-authenticated'' clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does *not* protect against this exploit.
    1616
    1717In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys.
     
    2323== How do I fix this? ==
    2424
    25 Simply install a patched version of OpenVPN. If you're using official releases then go for OpenVPN 2.3.6 or latest Git "master". If you're using OpenVPN from your operatings system's software repositories then install an updated version from them.
     25Simply install a patched version of OpenVPN. If you're using official releases then go for OpenVPN 2.3.6 or latest Git "master". If you're using OpenVPN from your operating system's software repositories then install an updated version from them.
    2626
    2727If you're maintaining packages based on OpenVPN 2.2 you can get a backported patch from the Git repository's release/2.2 branch.