The OpenVPN folks released a security advisory and updates to its server software yesterday for a vulnerability that has existed in the source code since 2005. CVE-2014-8104 is a vulnerability that can result in an OpenVPN server crashing when sent a too-short control channel packet. Note, that in their words "both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious." If I'm reading this correctly, this means that adding "tls-auth <keyfile> (0|1)" (as appropriate) to the configuration files on both server and client as well as using client certificates should protect against this attack. Folks running OpenVPN servers are strongly urged to update to v2.3.6 as soon as possible. The fixes have also been backported to v2.2 and can be found in the git repository, but may also exist in earlier v2.x code if anyone is still running old server software. Note that the v3.x code used in most OpenVPN Connect clients (such as those for Android and iOS) are not vulnerable. My Ubuntu systems got the update last night, so if you are running an OpenVPN server on Linux hopefully the patches are available via the usual package update mechanism or soon will be.
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Northern VA - Fairfax 2020