Bug 1166910 - (CVE-2014-8104) CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-sh...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1169487 1169488
Blocks: 1166911
  Show dependency treegraph
Reported: 2014-11-21 18:12 EST by Vincent Danen
Modified: 2015-01-05 04:09 EST (History)
5 users (show)

See Also:
Fixed In Version: openvpn 2.3.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-12-18 16:17:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
upstream patch (1.32 KB, patch)
2014-11-21 18:16 EST, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2014-11-21 18:12:37 EST
It was discovered that an authenticated client could trigger an ASSERT() in OpenVPN by sending a too-short control channel packet to the server.  This could cause the OpenVPN server to crash and deny access to the VPN to other legitimate users.


Red Hat would like to thank the OpenVPN project for reporting this issue.  Upstream acknowledges Dragana Damjanovic as the original reporter.
Comment 1 Vincent Danen 2014-11-21 18:16:38 EST
Created attachment 960011 [details]
upstream patch
Comment 4 Vincent Danen 2014-12-01 14:30:33 EST
External References:

Comment 5 Vincent Danen 2014-12-01 14:32:58 EST
Created openvpn tracking bugs for this issue:

Affects: fedora-all [bug 1169487]
Affects: epel-all [bug 1169488]
Comment 6 Vincent Danen 2014-12-01 14:34:06 EST
Note that an update has been submitted for Fedora 21:


Also note the following mitigating factors from the upstream announcement:

Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.

In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys.

Note You need to log in before you can comment on or make changes to this bug.