OpenVPN server DoS vulnerability fixed
The OpenVPN folks released a security advisory and updates to its server software yesterday for a vulnerability that has existed in the source code since 2005. CVE-2014-8104 is a vulnerability that can result in an OpenVPN server crashing when sent a too-short control channel packet. Note, that in their words "both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious." If I'm reading this correctly, this means that adding "tls-auth <keyfile>
References:
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
LINUX Incident Response and Threat Hunting | Online | Japan Standard Time | Oct 21st - Oct 26th 2024 |
Comments