A critical denial of service security vulnerability (CVE-2014-8104)


  • _In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical denial of service security vulnerability (CVE-2014-8104). The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.

    A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release._
    https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

    Tell please how i can update openvpn service for 2.3.6 version on the pfsense platform?


  • Also looking for this information, or any way i can help if testing is needed (can't code myself out of a paper bag).

  • Rebel Alliance Developer Netgate

    The new version will be in pfSense 2.2 snapshots soon (if not already). The client export package has already been updated. There won't be an update for pfSense 2.1.x since it is not likely to impact many users.

    To be exploited requires that the user be authenticated (has a certificate). It isn't like Heartbleed or similar where just anyone can connect and cause trouble.

    Unless you hand out certificates to untrusted clients, it isn't a huge concern.


  • Jimp - Thanks for the quick response as to the severity of this vulnerability!

    Ash,


  • @jimp:

    The new version will be in pfSense 2.2 snapshots soon (if not already). The client export package has already been updated. There won't be an update for pfSense 2.1.x since it is not likely to impact many users.

    To be exploited requires that the user be authenticated (has a certificate). It isn't like Heartbleed or similar where just anyone can connect and cause trouble.

    Unless you hand out certificates to untrusted clients, it isn't a huge concern.

    Thanks for the response. So there is no concern that malware introduced to systems that already have certs will abuse this vulnerability?  Because every station that needs this functionality is by definition outside the secure perimeter of the network that pfsense is protecting, the chances of user with a cert having an infected station are raised.  If nothing else, a DoS attack leveraged against this service could be used to distract an admin during another, more serious attack.

    The concept of a "trusted user" should be long dead.  The reality most admins I know live in is that the users that need remote functionality don't give two bits about security, they want stuff to "just work."  I try (and to be sure, sometimes fail) to give every user only the level of access they require to do their work, and put protections in place where possible to prevent that level of access from being abused.
    I can't run a pre-release version of code in a production environment, is there anything I cloud do to help get this ported back into 2.1.x codebase to mitigate the possibility of malware abusing this DoS vulnerability from a user who has a cert?  I CAN build a few test firewalls if need be, I just can't use 2.2 in my production firewalls.
    Thanks!!

  • Rebel Alliance Developer Netgate

    There is no way to get it "ported".

    The problem is a DoS only, so you could use the Service Watchdog to keep an eye on the server and restart it.

    Sure it's possible for malware to target it, but it's highly unlikely for it to do so. And if you know the service stopped, you can check your logs and see who the last person was to connect before it died, revoke their certificate and then send some hired help to beat them up. Or do it personally. Your choice.

    Or just upgrade to 2.2-RC when it drops shortly and stop worrying about it.