Re: CVE-2014-8104 - Critical OpenVPN DoS Vulnerability

[Matt U <matt.u () expressvpn com>]

Hacking forums have been discussing exploiting this against consumer VPN
services - In this case I would agree it's pretty critical since it'll
likely be in Metasploit soon (if it isn't already) and from there everyone
will want to have a shot...

In any case, "critical" does seem a little subjective in any vulnerability
less than RCE or info disclosure. I guess in this case it depends on how
the software is being used.

On Wednesday, December 3, 2014, Nicolas Gaudin <
nicolas.gaudin () polyconseil fr> wrote:

> Hi,
> Is this vulnerability really 'critical' if we consider that a malicious
> user
> needs to be authenticated to crash the gateway?
> I understand that the vulnerability is exploitable if a client is
> compromised (certificate stolen).
> In such a case (client compromised), the risk is greater as confidentiality
> is breached.
>
> Nicolas
>
> -----Message d'origine-----
> De : David White [mailto:dmwhite823 () gmail com <javascript:;>]
> Envoyé : mercredi 3 décembre 2014 10:24
> À : oss-security () lists openwall com <javascript:;>
> Objet : [oss-security] CVE-2014-8104 - Critical OpenVPN DoS Vulnerability
>
> I saw an email come through the pfSense list yesterday, but haven't seen
> anything about it discussed here. So I'm bringing it to this list's
> attention.
>
> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
>
> [ As a side note, I mistakenly thought the OP on the pfSense list
> mistakenly
> posted his link to a forum post on OpenVPN that was written in 2010, when
> in
> fact, that user had joined in 2010 but posted to the pfSense forum
> recently - https://forums.openvpn.net/topic17625.html ]
>
>
> --
> David