OpenVPN up to 2.3.5 Control Channel Packet resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.8 | $0-$5k | 0.00 |
Summary
A vulnerability identified as problematic has been detected in OpenVPN up to 2.3.5. Impacted is an unknown function of the component Control Channel Packet Handler. The manipulation leads to resource management. This vulnerability is referenced as CVE-2014-8104. Furthermore, an exploit is available. You should upgrade the affected component.
Details
A vulnerability was found in OpenVPN up to 2.3.5 (Network Encryption Software) and classified as problematic. This issue affects some unknown functionality of the component Control Channel Packet Handler. The manipulation with an unknown input leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is availability. The summary by CVE is:
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
The weakness was published 12/02/2014 by Dragana Damjanovic as SecurityAnnouncement-97597e732b as confirmed security advisory (Website). It is possible to read the advisory at community.openvpn.net. The public release has been coordinated with the project team. The identification of this vulnerability is CVE-2014-8104 since 10/10/2014. The attack may be initiated remotely. A simple authentication is required for exploitation. Technical details are unknown but an exploit is available.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 79869 (Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openvpn (SSA:2014-344-04)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Slackware Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123013 (OpenVPN Denial of Service Vulnerability). The advisory illustrates:
An OpenVPN server can be easily exploited (crashed) using this vulnerability by an authenticated client. However, we are not aware of this exploit being used in the wild before we released a fixed version (2.3.6).
Upgrading to version 2.3.6 eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability. The security advisory contains the following remark:
Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.
The vulnerability is also documented in the databases at X-Force (99191), Tenable (79869), SecurityFocus (BID 71402†), SecurityTracker (ID 1031277†) and Vulnerability Center (SBV-47475†). If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Not Affected
- OpenVPN 3.x
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 3.8
VulDB Base Score: 4.3
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 79869
Nessus Name: Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openvpn (SSA:2014-344-04)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 703084
OpenVAS Name: Debian Security Advisory DSA 3084-1 (openvpn - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: OpenVPN 2.3.6
Timeline
10/10/2014 🔍12/01/2014 🔍
12/01/2014 🔍
12/01/2014 🔍
12/02/2014 🔍
12/02/2014 🔍
12/03/2014 🔍
12/03/2014 🔍
12/09/2014 🔍
12/15/2014 🔍
02/27/2022 🔍
Sources
Advisory: SecurityAnnouncement-97597e732bResearcher: Dragana Damjanovic
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-8104 (🔍)
GCVE (CVE): GCVE-0-2014-8104
GCVE (VulDB): GCVE-100-68315
OVAL: 🔍
X-Force: 99191 - OpenVPN short control channel packet denial of service, Medium Risk
SecurityFocus: 71402 - OpenVPN CVE-2014-8104 Denial of Service Vulnerability
SecurityTracker: 1031277 - OpenVPN Control Channel Packet Processing Flaw Lets Remote Authenticated Users Deny Service
Vulnerability Center: 47475 - OpenVPN Remote Denial-of Service via a Small Control Channel Packet, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 12/03/2014 10:37Updated: 02/27/2022 13:30
Changes: 12/03/2014 10:37 (87), 06/14/2017 11:48 (7), 02/27/2022 13:30 (3)
Complete: 🔍
Cache ID: 216:030:103
No comments yet. Languages: en.
Please log in to comment.