[INFO] Critical denial of service vulnerability in OpenVPN servers

  • Posting on the OpenVPN Messageboard https://forums.openvpn.net/topic17625.html

    Hi all,

    A critical denial of service security vulnerability affecting OpenVPN servers was recently brought to our attention. A fixed version of OpenVPN (2.3.6) will be released today/tomorrow (1st Dec 2014) at around 18:00 UTC.

    Brace yourselves for the update.

    Best regards,

    Samuli Seppänen
    Community Manager
    OpenVPN Technologies, Inc

    irc freenode net: mattock

  • We're already tracking.  You beat me here by about a minute.

  • LAYER 8 Moderator

    Someone may correct me if I'm wrong but as far as I read that announcement here:

    -> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

    this only matters if it is triggered by an tls-authenticated client. So as long as I offer no public service and only hand out VPN certs, users & passes to people of my own organization (and they don't loose their cert, user & pass), all that happens is that the daemon could be DOS'ed and isn't available anymore (so I restart the VPN daemon, look at the logfile who was the dumbhead that killed my server and kick his balls). Spoken with a grain of sarkasm of course ;)

    But other than that - if I'm not trying to run some kind of VPN mega-service with free public registration to my VPN server (and therefore hand out certs to my server to everyone), I don't see that as overly mission critical as it was hyped/announced before.


  • Rebel Alliance Developer Netgate

    That is correct.

    Unless you're running a public VPN server or run with ONLY auth (no certs/tls) then you're safe.

    The OpenVPN client export package has been updated with the new installers as of yesterday afternoon, and the 2.2 snapshots should have the new version now as well, but it wouldn't warrant a new 2.1.x release.

  • Yeah….  OpenVPN seems abit on the useless side unless it server is public.
    So, I'm guessing this effects a whole lot of people.
    I will upgrade now.

    EDIT:  Since "Now" seems too soon.  I will try again in a few hours...

  • Rebel Alliance Developer Netgate

    No, not a "public" VPN server as in one open to the world. A "public" VPN server like PIA, VyprVPN, and so on that accepts public clients where anyone can get a certificate and authenticate.

    If it's a private VPN for just you or a company or so on and you don't hand out certs like candy, then you're fine.

  • Hmmmm.  Seems like upgrading will be smart for me.  Thanks.
    Any other changes getting into 2.3.6?

  • Rebel Alliance Developer Netgate

    Not sure what all changed in OpenVPN 2.3.6, the OpenVPN site should have a changelog.

    Since this is a DoS ONLY and NOT one that could lead to information disclosure, if someone is worried about their VPN server dying the Service Watchdog package could help. It would restart the VPN server if it is down.

  • hi guys a questiions,
    is this update requested from the Pfsense side or the client side ?
    thank you

  • Rebel Alliance Developer Netgate

    The server side is the one that really needs updated to fix the potential DoS.

    Though the client export package has the new 2.3.6 installers already, you can update those as needed as well.

  • @jimp:

    The server side is the one that really needs updated to fix the potential DoS.

    Though the client export package has the new 2.3.6 installers already, you can update those as needed as well.

    i've checked the latest Openvpn client export on the Pfsense it shows version of 1.2.15 as attached picture.
    is this the latest  version of Pfsense ?

    external users are updated to 2.3.6 version


    ![Pfsense -openvpn.jpg](/public/imported_attachments/1/Pfsense -openvpn.jpg)
    ![Pfsense -openvpn.jpg_thumb](/public/imported_attachments/1/Pfsense -openvpn.jpg_thumb)

  • Rebel Alliance Developer Netgate

    That is the version of the export package. That version of the export package does include the OpenVPN 2.3.6 installers.

  • Its too bad that the current stable version of pfsense won't get a minor maintenance release for this… 
    I'm not sure how far out the stable release of 2.2 is.

  • Rebel Alliance Developer Netgate

    2.2 RC should be out by the end of the day tomorrow. Release won't be that far behind given the current bug list and what's left to do.

    To put out a 2.1.x release we would have to bring 2.2 development to a complete halt and focus on backporting and testing things in 2.1.x again. It's not worth the effort for this with 2.2 so close.

  • Cool.  I wasn't expecting a release in the next 6 months.  I'm used to beta staying beta for a good long while.

  • I'm with jimp - the 2.2-BETA really has got out all the bugs I can think of in the parts I use. I also think that 2.2-RC will not need to live for long before an official release.