Jump to content
Not connected, Your IP: 18.117.158.10
AirVPN
Sign in to follow this  
Followers 0
knighthawk

Denial of service vulnerability in OpenVPN servers

By knighthawk, ... in Off-Topic

Recommended Posts

knighthawk    19

knighthawk
Posted ...

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Posted: Sun Nov 30, 2014 10:33 pm

Hi all,

A critical denial of service security vulnerability affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released today/tomorrow (1st Dec 2014) at around 18:00 UTC.

Brace yourselves for the update.

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

 

Share this post

Link to post

S.O.A.    83

S.O.A.
Posted ...

 

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Hello!

 

We're following closely the matter and when the fixed version is released we will upgrade as soon as possible.

 

Kind regards

 

 

Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files?

Share this post

Link to post

zhang888    1066

zhang888
Posted ...

They fixed it...

Diff of 2.3.5 vs 2.3.6

 

   /* discard leading uint32 */
-  ASSERT (buf_advance (buf, 4));
+  if (!buf_advance (buf, 4)) {
+    msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
+	buf->len);
+    goto error;
+  }
 
   /* get key method */
   key_method_flags = buf_read_u8 (buf);
@@ -2777,8 +2788,9 @@
 	key_id = c & P_KEY_ID_MASK;
       }
 
-      if (op == P_DATA_V1)
-	{			/* data channel packet */
+      if ((op == P_DATA_V1) || (op == P_DATA_V2))
+	{
+	  /* data channel packet */
 	  for (i = 0; i < KEY_SCAN_SIZE; ++i)
 	    {
 	      struct key_state *ks = multi->key_scan[i];
@@ -2810,7 +2822,19 @@
 		  opt->pid_persist = NULL;
 		  opt->flags &= multi->opt.crypto_flags_and;
 		  opt->flags |= multi->opt.crypto_flags_or;
+
 		  ASSERT (buf_advance (buf, 1));
+		  if (op == P_DATA_V2)
+		    {
+		      if (buf->len < 4)
+			{
+			  msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
+				print_link_socket_actual (from, &gc));
+			  goto error;
+			}
+		      ASSERT (buf_advance (buf, 3));
+		    }

 

JD Hopps, the patch is very minor I don't think we will need new certs.

But Air will be forced to disconnect all connected users on all patched servers, which will reset statistics and connections for some...

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

knighthawk    19

knighthawk
Posted ...

Yeah sounds like a vpn providers own authenticated customers would have to be ones triggering the DoS condition, not exactly good, but at least the whole world can't trigger it so buys them some time to roll out the patch to their servers.

Share this post

Link to post

Staff    9972

Staff
Posted ...

 

 

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers :o

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Hello!

 

We're following closely the matter and when the fixed version is released we will upgrade as soon as possible.

 

Kind regards

 

 

Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files?

 

Hello!

 

No, the vulnerability is on the server side. The exploit does not affect security but cause OpenVPN daemon crash. No action on the client side is required (as long as you use OpenVPN as a client only).

 

Kind regards

Share this post

Link to post

PANDABOY    1

PANDABOY
Posted ...

Glad AIRVPN is on top of things! I thought this was another heart beat bug for a second.

 

THIS security anouncement says that "In other words this vulnerability is denial of service only."

 

If a DOS is triggerd by *an tls-authenticated client* then the server would just reset and continue.

 

sonds minor, hope I didnt miss anything.

Share this post

Link to post

pearlofsam    0

pearlofsam
Posted ...

Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it.

 

I'm seeing several attempts in the apache logs of scanners testing the vulnerability.

Share this post

Link to post

Staff    9972

Staff
Posted ...

Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it. I'm seeing several attempts in the apache logs of scanners testing the vulnerability.

 

Can you elaborate?

 

Kind regards

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...