VPN Articles and News

OpenVPN Fixes Critical Denial Of Service Flaw

Tuesday, December 30th, 2014

OpenVPN Technologies Inc. has recently patched a major Denial of Service (DOS) vulnerability (dubbed as CVE-2014-8104 by the OpenVPN team) that was present within its VPN software. The security flaw was discovered by researcher Dragana Damjanovic in the month of November and it had the potential to disrupt operations of hundreds of VPN service providers who rely on the OpenVPN software to offer privacy services to their customers. According to a security advisory issued by the company, the vulnerability was present in the OpenVPN software since at least 2005 but it had escaped detection so far.

The security advisory also sheds more light on how the vulnerability works in real life. As per the information released by the company, the security flaw makes it possible for any TLS-authenticated client machine to crash an OpenVPN server by bombarding it with malicious data packets. The good news is that the vulnerability does not affect the authentication part of the OpenVPN architecture so the login details of users remain safe from theft and misuse. Since the providers of OpenVPN based VPN services rely on TLS authentication to deliver their services, any VPN user who has valid login details can exploit the flaw and bring down a VPN server.

Since the vulnerability was present in the OpenVPN architecture for quite some time, several versions of the software were affected by it. As per the bulletin, all 2.x versions of the software were affected by the flaw. There is also a big possibility that the glitch was present in some of the older versions of the software. However, the OpenVPN team has explicitly stated that the vulnerability is no longer present in version 3.x of the software. This means that iOS and Android based mobile devices would not be affected by the glitch since these systems often rely on the OpenVPN Connect app (which uses version 3+ of OpenVPN software) to connect to OpenVPN based VPN services.

Although CVE-2014-8104 is a serious vulnerability, the chances of its widespread misuse are pretty remote. That’s because, both the TLS layer as well as the client-server based authentication process provides an in-built protection against the flaw. The OpenVPN team has also expressed confidence that the glitch has not been exploited by anyone so far. However, OpenVPN servers that rely on ‘client-cert-not-required’ based login system (a lot of VPN providers use it to deliver their services) remain vulnerable to the security flaw if the client machines connecting to them are using older versions (2.x) of the OpenVPN software.

OpenVPN Technologies has urged service providers to upgrade to a higher version of the OpenVPN software to protect their infrastructure from this particular vulnerability. The company has already released a patched version of its software (for version 2.3.6, backported till version 2.2) so VPN providers can readily safeguard themselves from such denial of service attacks. Many VPN service providers have already patched their servers and even released updated versions for their client softwares. If you are a VPN user who connects to an OpenVPN based VPN server then you must check for new updates from your service provider and update your VPN client immediately.

December 30, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 7 =