In November 2014, Dragana Damjanovic alerted OpenVPN Technologies of a major Denial of Service (DoS) vulnerability that can disrupt the servers to hundreds of VPN service providers who use the OpenVPN software. The apparent vulnerability has been present in the software since 2005 in affected versions 2.x and older. OpenVPN Technologies Inc., is an open source software program that allows users to access the internet securely from anywhere safely and anonymously. OpenVPN uses TLS (Transport Layer Security), and SSL (Secure Sockets Layer) protocols which provide communication security over the Internet between servers. The vulnerability discovered by Damjanovic would allow anyone access to the TLS Auth keys allowing them the ability to crash VPN servers around the globe.
The vulnerability, known as CVE-2014-8104, allows a TLS-authenticated client machine the ability to crash VPN servers that use OpenVPN software by “sending a too-short control channel packet to the servers”, making it a Denial of Service only vulnerability. In other words, users of a particular VPN provider affected by the vulnerability cannot access the internet.
According to a security announcement 97597e732b released by OpenVPN on December 2, 2014, “only TLS-authenticated clients can trigger the vulnerability in the OpenVPN server”. OpenVPN goes on to state that providers who use both client certificates and TLS authentication are protected from the vulnerability as well as their customers. However, username/password authentication alone will not protect against the exploit, and servers using ‘client-cert-not-required’ do not, by definition, have the necessary client certificates to protect against the vulnerability either.
Only the VPN service providers using software versions 2.x and older are affected by this vulnerability. Those providers are being advised to update their software to version 3.x or to install the patch version 2.3.6, released in December 2014. This “fix” was also backported to OpenVPN branch 2.2 and released in the 2.2.3 version which is a ‘source-only’ release.
OpenVPN also states that Access Server versions prior to 2.0.11 are also vulnerable, and clients should update to version 2.0.11 as soon as possible as this release is the first non-vulnerable version released.
The scope of the vulnerability branches out to all OpenVPN software versions 2.x from 2005 and some older versions as well, but it only affects ‘server availability’. Android and iOS mobile device users are not affected by the vulnerability. VPN users are also not affected, and their information, as well as traffic, remained confidential and protected as only the access to the servers of VPN providers are affected by the vulnerability.
The good news is to date; OpenVPN has not had any reports of server crashes “in the wild” from any VPN service provider who use their software, due to this exploit. Even though anyone could have gotten “their hands on the necessary client certificates and TLS Auth keys”, it is sheer dumb luck that no one has taken advantage of the exploit in the past 13 years to wreak havoc on many VPN servers around the globe. Never the less, OpenVPN urges their clients who utilize versions 2.x and older and those who still use ‘client-cert-not-required’ to upgrade their software package or install the patch. Many VPN service providers have already updated their servers, and those who use a VPN service using OpenVPN software should check with their VPN provider to make sure they have updates their software accordingly.