An update for OpenVPN released on Monday patches a serious denial of service vulnerability present in the open source VPN software since 2005.
“It is also possible that even older versions are affected,” OpenVPN said in its advisory, clarifying that the flaw affects primarily OpenVPN 2.x versions. “However, only server availability is affected. Confidentiality and authenticity of traffic are not affected.”
The issue was reported to OpenVPN in late November by Dragana Damjanovic; the flaw allows a TLS-authenticated client to crash an OpenVPN server. An attacker would need to send a short, control channel packet to the server to trigger the vulnerability.
OpenVPN 2.3.6 was released yesterday and the fix was backported to the OpenVPN 2.2 branch, OpenVPN said. OpenVPN 3.x is not vulnerable, the group said. 3.x is used in most OpenVPN Connect clients for Android and iOS.
“Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server,” the advisory said. “Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious.”
VPN service providers are most in harm’s way with this vulnerability, OpenVPN said. The group said that it is not aware of any public exploits of the vulnerability, despite its ease of exploitation.
“You should upgrade to it as soon as possible, especially if you suspect some clients might be malicious,” OpenVPN said.