CVE-2014-8104
published 2014-12-03CVE-2014-8104: OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via…
PriorityP427medium6.8CVSS 2.0
AVNACLAuSCNINAC
EPSS
3.48%
87.6th percentile
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
Affected
101 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openvpn | < openvpn 2.3.4-5 (bookworm) | openvpn 2.3.4-5 (bookworm) |
| mageia | mageia | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
| openvpn | openvpn | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
osv6.8MEDIUM
vendor_debian6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenVPN vulnerability
vendor_ubuntu·2014-12-02
CVE-2014-8104 OpenVPN vulnerability
Title: OpenVPN vulnerability
Summary: OpenVPN could be made to crash if it received specially crafted network
traffic.
Dragana Damjanovic discovered that OpenVPN incorrectly handled certain
control channel packets. An authenticated attacker could use this issue to
cause an OpenVPN server to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2014-8104: openvpn - OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 all...
vendor_debian·2014·CVSS 6.8
CVE-2014-8104 [MEDIUM] CVE-2014-8104: openvpn - OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 all...
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
Scope: local
bookworm: resolved (fixed in 2.3.4-5)
bullseye: resolved (fixed in 2.3.4-5)
forky: resolved (fixed in 2.3.4-5)
sid: resolved (fixed in 2.3.4-5)
trixie: resolved (fixed in 2.3.4-5)
GHSA
GHSA-p2qj-cw7j-f6wr: OpenVPN 2
ghsa_unreviewed·2022-05-13
CVE-2014-8104 [MEDIUM] GHSA-p2qj-cw7j-f6wr: OpenVPN 2
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
OSV
CVE-2014-8104: OpenVPN 2
osv·2014-12-03·CVSS 6.8
CVE-2014-8104 [MEDIUM] CVE-2014-8104: OpenVPN 2
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [epel-all]
bugzilla·2014-12-01·CVSS 6.8
CVE-2014-8104 [MEDIUM] CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [epel-all]
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [fedora-all]
bugzilla·2014-12-01·CVSS 6.8
CVE-2014-8104 [MEDIUM] CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [fedora-all]
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: t
Bugzilla
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server
bugzilla·2014-11-21·CVSS 6.8
CVE-2014-8104 [MEDIUM] CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server
It was discovered that an authenticated client could trigger an ASSERT() in OpenVPN by sending a too-short control channel packet to the server. This could cause the OpenVPN server to crash and deny access to the VPN to other legitimate users.
Acknowledgements:
Red Hat would like to thank the OpenVPN project for reporting this issue. Upstream acknowledges Dragana Damjanovic as the original reporter.
Discussion:
Created attachment 960011
upstream patch
---
External References:
http://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
---
Created openvpn tracking bugs for this issue:
Affects: fedora-all [bug 1169487]
Affects: epel-all [bug 1169488]
--
http://advisories.mageia.org/MGASA-2014-0512.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-12/msg00008.htmlhttp://www.debian.org/security/2014/dsa-3084http://www.mandriva.com/security/advisories?name=MDVSA-2015:139http://www.ubuntu.com/usn/USN-2430-1https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732bhttp://advisories.mageia.org/MGASA-2014-0512.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-12/msg00008.htmlhttp://www.debian.org/security/2014/dsa-3084http://www.mandriva.com/security/advisories?name=MDVSA-2015:139http://www.ubuntu.com/usn/USN-2430-1https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
2014-12-03
Published