The OpenVPN Project has issued a new version of its popular open source software of the same name and is urging users to implement it, as it solves a critical denial of service security vulnerability (CVE-2014-8104).
“The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server,” it is explained in a security advisory. The developers are not aware of this bug having been exploited in the wild before the fixed version (2.3.6) was released.
The flaw allows only denial of service, not remote code execution or information disclosure.
“This vulnerability affects all OpenVPN 2.x versions released since 2005. It is also possible that even older versions are affected,” it has been pointed out. “However, only server availability is affected. Confidentiality and authenticity of traffic are not affected.”
“In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys,” the developers noted.
Access Server versions prior to 2.0.11 are also vulnerable, so users are advised to upgrade as soon as possible. The OpenVPN 3.x codebase used in most OpenVPN Connect clients (Android, iOS) is not vulnerable.
The vulnerability was reported to OpenVPN by researcher Dragana Damjanovic in late November.