oss-sec mailing list archives
Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability
From: Matt U <matt.u () expressvpn com>
Date: Wed, 3 Dec 2014 20:47:01 +0800
Hacking forums have been discussing exploiting this against consumer VPN services - In this case I would agree it's pretty critical since it'll likely be in Metasploit soon (if it isn't already) and from there everyone will want to have a shot... In any case, "critical" does seem a little subjective in any vulnerability less than RCE or info disclosure. I guess in this case it depends on how the software is being used. On Wednesday, December 3, 2014, Nicolas Gaudin < nicolas.gaudin () polyconseil fr> wrote:
Hi, Is this vulnerability really 'critical' if we consider that a malicious user needs to be authenticated to crash the gateway? I understand that the vulnerability is exploitable if a client is compromised (certificate stolen). In such a case (client compromised), the risk is greater as confidentiality is breached. Nicolas -----Message d'origine----- De : David White [mailto:dmwhite823 () gmail com <javascript:;>] Envoyé : mercredi 3 décembre 2014 10:24 À : oss-security () lists openwall com <javascript:;> Objet : [oss-security] CVE-2014-8104 - Critical OpenVPN DoS Vulnerability I saw an email come through the pfSense list yesterday, but haven't seen anything about it discussed here. So I'm bringing it to this list's attention. https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b [ As a side note, I mistakenly thought the OP on the pfSense list mistakenly posted his link to a forum post on OpenVPN that was written in 2010, when in fact, that user had joined in 2010 but posted to the pfSense forum recently - https://forums.openvpn.net/topic17625.html ] -- David
Current thread:
- CVE-2014-8104 - Critical OpenVPN DoS Vulnerability David White (Dec 03)
- RE: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Nicolas Gaudin (Dec 03)
- Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Max Mühlbronner (Dec 03)
- Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Matt U (Dec 03)
- RE: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability Nicolas Gaudin (Dec 03)