oss-sec mailing list archives
Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability
From: Max Mühlbronner <mm () 42com com>
Date: Wed, 03 Dec 2014 13:13:17 +0100
Hi,just imagine a malicious user: signing up for e.g. anonymous VPN service and crashing the whole openVPN process, which would be affecting other users too. I would definitely consider this to be a critical issue.
Max M. On 03.12.2014 11:11, Nicolas Gaudin wrote:
Hi, Is this vulnerability really 'critical' if we consider that a malicious user needs to be authenticated to crash the gateway? I understand that the vulnerability is exploitable if a client is compromised (certificate stolen). In such a case (client compromised), the risk is greater as confidentiality is breached. Nicolas -----Message d'origine----- De : David White [mailto:dmwhite823 () gmail com] Envoyé : mercredi 3 décembre 2014 10:24 À : oss-security () lists openwall com Objet : [oss-security] CVE-2014-8104 - Critical OpenVPN DoS Vulnerability I saw an email come through the pfSense list yesterday, but haven't seen anything about it discussed here. So I'm bringing it to this list's attention. https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b [ As a side note, I mistakenly thought the OP on the pfSense list mistakenly posted his link to a forum post on OpenVPN that was written in 2010, when in fact, that user had joined in 2010 but posted to the pfSense forum recently - https://forums.openvpn.net/topic17625.html ] -- David
Current thread:
- CVE-2014-8104 - Critical OpenVPN DoS Vulnerability David White (Dec 03)
- RE: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Nicolas Gaudin (Dec 03)
- Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Max Mühlbronner (Dec 03)
- Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Matt U (Dec 03)
- RE: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Nicolas Gaudin (Dec 03)