OpenVPN up to 2.3.5 Control Channel Packet resource management

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
3.8$0-$5k0.00

A vulnerability was found in OpenVPN up to 2.3.5 (Network Encryption Software) and classified as problematic. This issue affects some unknown functionality of the component Control Channel Packet Handler. The manipulation with an unknown input leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is availability.

The weakness was published 12/02/2014 by Dragana Damjanovic as SecurityAnnouncement-97597e732b as confirmed security advisory (Website). It is possible to read the advisory at community.openvpn.net. The public release has been coordinated with the project team. The identification of this vulnerability is CVE-2014-8104 since 10/10/2014. The attack may be initiated remotely. A simple authentication is required for exploitation. Technical details are unknown but an exploit is available.

It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 79869 (Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openvpn (SSA:2014-344-04)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Slackware Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123013 (OpenVPN Denial of Service Vulnerability). The advisory illustrates:

An OpenVPN server can be easily exploited (crashed) using this vulnerability by an authenticated client. However, we are not aware of this exploit being used in the wild before we released a fixed version (2.3.6).

Upgrading to version 2.3.6 eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability. The security advisory contains the following remark:

Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.

The vulnerability is also documented in the databases at X-Force (99191), SecurityTracker (ID 1031277), Vulnerability Center (SBV-47475) and Tenable (79869).

Not Affected

  • OpenVPN 3.x

Productinfo

Type

Name

License

  • open-source

CPE 2.3info

CPE 2.2info

CVSSv3info

VulDB Meta Base Score: 4.3
VulDB Meta Temp Score: 3.8

VulDB Base Score: 4.3
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Resource management
CWE: CWE-399 / CWE-404
ATT&CK: Unknown

Local: No
Remote: Yes

Availability: 🔍
Status: Proof-of-Concept

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Nessus ID: 79869
Nessus Name: Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openvpn (SSA:2014-344-04)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

OpenVAS ID: 703084
OpenVAS Name: Debian Security Advisory DSA 3084-1 (openvpn - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔍

Upgrade: OpenVPN 2.3.6

Timelineinfo

10/10/2014 🔍
12/01/2014 +52 days 🔍
12/01/2014 +0 days 🔍
12/01/2014 +0 days 🔍
12/02/2014 +1 days 🔍
12/02/2014 +0 days 🔍
12/03/2014 +1 days 🔍
12/03/2014 +0 days 🔍
12/09/2014 +6 days 🔍
12/15/2014 +6 days 🔍
02/27/2022 +2631 days 🔍

Sourcesinfo

Advisory: SecurityAnnouncement-97597e732b
Researcher: Dragana Damjanovic
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍

CVE: CVE-2014-8104 (🔍)
OVAL: 🔍

X-Force: 99191 - OpenVPN short control channel packet denial of service, Medium Risk
SecurityTracker: 1031277 - OpenVPN Control Channel Packet Processing Flaw Lets Remote Authenticated Users Deny Service
Vulnerability Center: 47475 - OpenVPN Remote Denial-of Service via a Small Control Channel Packet, Medium
SecurityFocus: 71402 - OpenVPN CVE-2014-8104 Denial of Service Vulnerability

scip Labs: https://www.scip.ch/en/?labs.20161013

Entryinfo

Created: 12/03/2014 10:37 AM
Updated: 02/27/2022 01:30 PM
Changes: 12/03/2014 10:37 AM (87), 06/14/2017 11:48 AM (7), 02/27/2022 01:30 PM (3)
Complete: 🔍

Discussion

No comments yet. Languages: en.

Please log in to comment.

Interested in the pricing of exploits?

See the underground prices here!