knighthawk 19 Posted ... Happy December. FYI: Critical denial of service vulnerability in OpenVPN servers https://forums.openvpn.net/topic17625.html Hopefully not as bad as it sounds. Posted: Sun Nov 30, 2014 10:33 pmHi all,A critical denial of service security vulnerability affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released today/tomorrow (1st Dec 2014) at around 18:00 UTC.Brace yourselves for the update.Best regards,--Samuli SeppänenCommunity ManagerOpenVPN Technologies, Inc Quote Share this post Link to post
Staff 10017 Posted ... Happy December. FYI: Critical denial of service vulnerability in OpenVPN servers https://forums.openvpn.net/topic17625.html Hopefully not as bad as it sounds. Hello! We're following closely the matter and when the fixed version is released we will upgrade as soon as possible. Kind regards Quote Share this post Link to post
S.O.A. 83 Posted ... Happy December. FYI: Critical denial of service vulnerability in OpenVPN servers https://forums.openvpn.net/topic17625.html Hopefully not as bad as it sounds. Hello! We're following closely the matter and when the fixed version is released we will upgrade as soon as possible. Kind regards Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files? Quote Share this post Link to post
zhang888 1066 Posted ... They fixed it...Diff of 2.3.5 vs 2.3.6 /* discard leading uint32 */ - ASSERT (buf_advance (buf, 4)); + if (!buf_advance (buf, 4)) { + msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", + buf->len); + goto error; + } /* get key method */ key_method_flags = buf_read_u8 (buf); @@ -2777,8 +2788,9 @@ key_id = c & P_KEY_ID_MASK; } - if (op == P_DATA_V1) - { /* data channel packet */ + if ((op == P_DATA_V1) || (op == P_DATA_V2)) + { + /* data channel packet */ for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; @@ -2810,7 +2822,19 @@ opt->pid_persist = NULL; opt->flags &= multi->opt.crypto_flags_and; opt->flags |= multi->opt.crypto_flags_or; + ASSERT (buf_advance (buf, 1)); + if (op == P_DATA_V2) + { + if (buf->len < 4) + { + msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", + print_link_socket_actual (from, &gc)); + goto error; + } + ASSERT (buf_advance (buf, 3)); + } JD Hopps, the patch is very minor I don't think we will need new certs.But Air will be forced to disconnect all connected users on all patched servers, which will reset statistics and connections for some... Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
knighthawk 19 Posted ... Yeah sounds like a vpn providers own authenticated customers would have to be ones triggering the DoS condition, not exactly good, but at least the whole world can't trigger it so buys them some time to roll out the patch to their servers. Quote Share this post Link to post
Staff 10017 Posted ... Happy December. FYI: Critical denial of service vulnerability in OpenVPN servers https://forums.openvpn.net/topic17625.html Hopefully not as bad as it sounds. Hello! We're following closely the matter and when the fixed version is released we will upgrade as soon as possible. Kind regards Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files? Hello! No, the vulnerability is on the server side. The exploit does not affect security but cause OpenVPN daemon crash. No action on the client side is required (as long as you use OpenVPN as a client only). Kind regards Quote Share this post Link to post
Staff 10017 Posted ... https://airvpn.org/topic/12793-completed-openvpn-upgrade Kind regards Quote Share this post Link to post
PANDABOY 1 Posted ... Glad AIRVPN is on top of things! I thought this was another heart beat bug for a second. THIS security anouncement says that "In other words this vulnerability is denial of service only." If a DOS is triggerd by *an tls-authenticated client* then the server would just reset and continue. sonds minor, hope I didnt miss anything. Quote Share this post Link to post
pearlofsam 0 Posted ... Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it. I'm seeing several attempts in the apache logs of scanners testing the vulnerability. Quote Share this post Link to post
Staff 10017 Posted ... Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it. I'm seeing several attempts in the apache logs of scanners testing the vulnerability. Can you elaborate? Kind regards Quote Share this post Link to post