Jump to content
Not connected, Your IP: 35.170.66.78
Sign in to follow this  
knighthawk

Denial of service vulnerability in OpenVPN servers

Recommended Posts

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Posted: Sun Nov 30, 2014 10:33 pm

Hi all,

A critical denial of service security vulnerability affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released today/tomorrow (1st Dec 2014) at around 18:00 UTC.

Brace yourselves for the update.

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

 

Share this post


Link to post

 

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Hello!

 

We're following closely the matter and when the fixed version is released we will upgrade as soon as possible.

 

Kind regards

 

 

Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files?

Share this post


Link to post

They fixed it...

Diff of 2.3.5 vs 2.3.6

 

   /* discard leading uint32 */
-  ASSERT (buf_advance (buf, 4));
+  if (!buf_advance (buf, 4)) {
+    msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
+	buf->len);
+    goto error;
+  }
 
   /* get key method */
   key_method_flags = buf_read_u8 (buf);
@@ -2777,8 +2788,9 @@
 	key_id = c & P_KEY_ID_MASK;
       }
 
-      if (op == P_DATA_V1)
-	{			/* data channel packet */
+      if ((op == P_DATA_V1) || (op == P_DATA_V2))
+	{
+	  /* data channel packet */
 	  for (i = 0; i < KEY_SCAN_SIZE; ++i)
 	    {
 	      struct key_state *ks = multi->key_scan[i];
@@ -2810,7 +2822,19 @@
 		  opt->pid_persist = NULL;
 		  opt->flags &= multi->opt.crypto_flags_and;
 		  opt->flags |= multi->opt.crypto_flags_or;
+
 		  ASSERT (buf_advance (buf, 1));
+		  if (op == P_DATA_V2)
+		    {
+		      if (buf->len < 4)
+			{
+			  msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
+				print_link_socket_actual (from, &gc));
+			  goto error;
+			}
+		      ASSERT (buf_advance (buf, 3));
+		    }

 

JD Hopps, the patch is very minor I don't think we will need new certs.

But Air will be forced to disconnect all connected users on all patched servers, which will reset statistics and connections for some...


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Yeah sounds like a vpn providers own authenticated customers would have to be ones triggering the DoS condition, not exactly good, but at least the whole world can't trigger it so buys them some time to roll out the patch to their servers.

Share this post


Link to post

 

 

Happy December.

 

FYI: Critical denial of service vulnerability in OpenVPN servers :o

https://forums.openvpn.net/topic17625.html

 

Hopefully not as bad as it sounds.

 

Hello!

 

We're following closely the matter and when the fixed version is released we will upgrade as soon as possible.

 

Kind regards

 

 

Does this mean that for those who connect to AirVPN through Viscosity or Tunnelblick will have to re-download config files?

 

Hello!

 

No, the vulnerability is on the server side. The exploit does not affect security but cause OpenVPN daemon crash. No action on the client side is required (as long as you use OpenVPN as a client only).

 

Kind regards

Share this post


Link to post

Glad AIRVPN is on top of things! I thought this was another heart beat bug for a second.

 

THIS security anouncement says that "In other words this vulnerability is denial of service only."

 

If a DOS is triggerd by *an tls-authenticated client* then the server would just reset and continue.

 

sonds minor, hope I didnt miss anything.

Share this post


Link to post

Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it.

 

I'm seeing several attempts in the apache logs of scanners testing the vulnerability.

Share this post


Link to post

Less happy that at least the first security patch only fixed the problem partly. There is still a way to get around it. I'm seeing several attempts in the apache logs of scanners testing the vulnerability.

 

Can you elaborate?

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...