Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202004-16: openvpn: denial of service

    Date
    380
    Posted By
    The package openvpn before version 2.4.9-1 is vulnerable to denial of service.
    Arch Linux Security Advisory ASA-202004-16
    ==========================================
    
    Severity: Medium
    Date    : 2020-04-17
    CVE-ID  : CVE-2020-11810
    Package : openvpn
    Type    : denial of service
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1135
    
    Summary
    =======
    
    The package openvpn before version 2.4.9-1 is vulnerable to denial of
    service.
    
    Resolution
    ==========
    
    Upgrade to 2.4.9-1.
    
    # pacman -Syu "openvpn>=2.4.9-1"
    
    The problem has been fixed upstream in version 2.4.9.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A security issue has been found in OpenVPN before 2.4.9, where a 'peer-
    id' check is not performed correctly during a small amount of time
    after a connection has been established. A rogue client sending a data
    channel packet during that time, from a different source address and
    with the same 'peer-id', would cause the client data to float to that
    new address, effectively sopping the VPN traffic of the first,
    legitimate client.
    
    Impact
    ======
    
    A remote attacker might be able to cause the legitimate VPN session of
    another client to stall, by sending a crafted packet right at the
    beginning of the VPN session.
    
    References
    ==========
    
    https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab
    https://community.openvpn.net/openvpn/ticket/1272
    https://security.archlinux.org/CVE-2020-11810
    
    

    Advisories

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.