The developers of OpenVPN have released a new version of the open-source virtual private network software to address a critical denial-of-service (DoS) vulnerability that can be exploited to cause servers to crash.
The vulnerability (CVE-2014-8104) was reported to OpenVPN Technologies by Dragana Damjanovic in late November and it was fixed on Monday with the release of OpenVPN 2.3.6.
“The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server,” OpenVPN explained in an advisory.
The security hole affects all OpenVPN 2.x versions released since 2005, and possibly even older versions. OpenVPN Access Server versions prior to 2.0.11 are also impacted. The vulnerability mainly affects VPN service providers since the client certificates and TLS authentication keys necessary to pull off the attack can be easily obtained in their case.
“Note that username/password authentication does not protect against this exploit, and servers using ‘–client-cert-not-required’ by definition have no client certificates to protect against this exploit,” the advisory reads.
The company has highlighted that the vulnerability can only be exploited by authenticated clients, and that it does not affect traffic confidentiality and authenticity. OpenVPN says there is no evidence that the flaw has been exploited in the wild.
“The OpenVPN 3.x codebase used in most OpenVPN Connect clients (Android, iOS) is not vulnerable and not used on the server-side,” OpenVPN said.
The fix was also backported to the OpenVPN 2.2 branch, and is included in the OpenVPN 2.2.3 source-only release for the benefit of package maintainers. However, the company has noted that an official Windows installer for version 2.2.3 will not be released.
Fredrick Strömberg, the co-founder of Swedish VPN company Mullvad, reported in late September that OpenVPN servers, in certain configurations, are vulnerable to attacks leveraging the GNU Bash vulnerability known as ShellShock. In April, Strömberg claimed to have found a way to exploit the Heartbleed bug in OpenSSL to extract private keys from OpenVPN.
