[Arch Linux Security Advisory ASA-201412-2] openvpn: denial of service

Arch Linux Security Advisory ASA-201412-2
=========================================

Severity: High
Date    : 2014-12-02
CVE-ID  : CVE-2014-8104
Package : openvpn
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package openvpn before version 2.3.6-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.3.6-1.

# pacman -Syu “openvpn>=2.3.6-1”

The problem has been fixed upstream [0] in version 2.3.6.

Workaround
==========

None.

Description
===========

It was discovered that an authenticated client could trigger an ASSERT()
in OpenVPN by sending a too-short control channel packet to the server.
This could cause the OpenVPN server to crash and deny access to the VPN
to other legitimate users.

Impact
======

A remote authenticated attacker could send specially crafted packets
that could cause the OpenVPN server to crash leading to denial of
service of other legitimate users.

This entry was posted in arch-linux and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *