The developers of OpenVPN have released a new version of the open-source virtual private network software to address a critical denial-of-service (DoS) vulnerability that can be exploited to cause servers to crash.
The vulnerability (CVE-2014-8104) was reported to OpenVPN Technologies by Dragana Damjanovic in late November and it was fixed on Monday with the release of OpenVPN 2.3.6.
“The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server,” OpenVPN explained in an advisory.
The security hole affects all OpenVPN 2.x versions released since 2005, and possibly even older versions. OpenVPN Access Server versions prior to 2.0.11 are also impacted. The vulnerability mainly affects VPN service providers since the client certificates and TLS authentication keys necessary to pull off the attack can be easily obtained in their case.
“Note that username/password authentication does not protect against this exploit, and servers using ‘–client-cert-not-required’ by definition have no client certificates to protect against this exploit,” the advisory reads.
The company has highlighted that the vulnerability can only be exploited by authenticated clients, and that it does not affect traffic confidentiality and authenticity. OpenVPN says there is no evidence that the flaw has been exploited in the wild.
“The OpenVPN 3.x codebase used in most OpenVPN Connect clients (Android, iOS) is not vulnerable and not used on the server-side,” OpenVPN said.
The fix was also backported to the OpenVPN 2.2 branch, and is included in the OpenVPN 2.2.3 source-only release for the benefit of package maintainers. However, the company has noted that an official Windows installer for version 2.2.3 will not be released.
Fredrick Strömberg, the co-founder of Swedish VPN company Mullvad, reported in late September that OpenVPN servers, in certain configurations, are vulnerable to attacks leveraging the GNU Bash vulnerability known as ShellShock. In April, Strömberg claimed to have found a way to exploit the Heartbleed bug in OpenSSL to extract private keys from OpenVPN.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
