Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2014-8104

Published: 03/12/2014 Updated: 12/05/2020
CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8
VMScore: 605
Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C

Vulnerability Summary

OpenVPN 2.x prior to 2.0.11, 2.1.x, 2.2.x prior to 2.2.3, and 2.3.x prior to 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.

Vulnerable Product Search on Vulmon Subscribe to Product

mageia mageia 4.0

debian debian linux 8.0

debian debian linux 7.0

opensuse opensuse 12.3

opensuse opensuse 13.1

opensuse opensuse 13.2

openvpn openvpn 2.0 rc9

openvpn openvpn 2.1

openvpn openvpn 2.0 test19

openvpn openvpn 2.0 test17

openvpn openvpn 2.0 test28

openvpn openvpn 2.0 test10

openvpn openvpn 2.2

openvpn openvpn 2.0 test23

openvpn openvpn 2.2.2

openvpn openvpn 2.3

openvpn openvpn 2.0.1 rc3

openvpn openvpn 2.0 rc19

openvpn openvpn 2.2.1

openvpn openvpn 2.0.4

openvpn openvpn 2.0 rc21

openvpn openvpn 2.3.4

openvpn openvpn 2.0.1 rc4

openvpn openvpn 2.0.1 rc2

openvpn openvpn 2.0 test26

openvpn openvpn 2.3.0

openvpn openvpn 2.0 rc2

openvpn openvpn 2.0 test1

openvpn openvpn 2.0 rc20

openvpn openvpn 2.0 test14

openvpn openvpn 2.0 test6

openvpn openvpn 2.0 test12

openvpn openvpn 2.0.2 rc1

openvpn openvpn 2.0 rc3

openvpn openvpn 2.0.3 rc1

openvpn openvpn 2.3.3

openvpn openvpn 2.0 rc12

openvpn openvpn 2.1.2

openvpn openvpn 2.0 test3

openvpn openvpn 2.3.2

openvpn openvpn 2.0 rc5

openvpn openvpn 2.3.1

openvpn openvpn 2.0 rc6

openvpn openvpn 2.0.6 rc1

openvpn openvpn 2.0 rc11

openvpn openvpn 2.0 rc7

openvpn openvpn 2.0 rc4

openvpn openvpn 2.0 rc16

openvpn openvpn 2.0 test29

openvpn openvpn 2.0 test9

openvpn openvpn 2.0 test27

openvpn openvpn 2.1.0

openvpn openvpn 2.1.4

openvpn openvpn 2.0 test25

openvpn openvpn 2.0 test21

openvpn openvpn 2.0.9

openvpn openvpn 2.0 rc17

openvpn openvpn 2.0 test5

openvpn openvpn 2.0 test20

openvpn openvpn 2.0 rc10

openvpn openvpn 2.0 rc8

openvpn openvpn 2.0.1 rc1

openvpn openvpn 2.1.1

openvpn openvpn 2.0 test22

openvpn openvpn 2.0 test11

openvpn openvpn 2.0 test24

openvpn openvpn 2.0.1 rc6

openvpn openvpn 2.0 test7

openvpn openvpn 2.0.1 rc7

openvpn openvpn 2.0 rc14

openvpn openvpn 2.0 test4

openvpn openvpn 2.3.5

openvpn openvpn 2.0 rc18

openvpn openvpn 2.0 test15

openvpn openvpn 2.0 test8

openvpn openvpn 2.0 rc1

openvpn openvpn 2.0.1 rc5

openvpn openvpn 2.1.3

openvpn openvpn 2.0 test2

openvpn openvpn 2.0 rc15

openvpn openvpn 2.2.0

openvpn openvpn 2.0 test18

openvpn openvpn 2.0 test16

openvpn openvpn 2.0 rc13

openvpn openvpn access server 2.0.0

openvpn openvpn access server 2.0.1

openvpn openvpn access server 2.0.2

openvpn openvpn access server 2.0.3

openvpn openvpn access server 2.0.5

openvpn openvpn access server 2.0.6

openvpn openvpn access server 2.0.7

openvpn openvpn access server 2.0.8

openvpn openvpn access server 2.0.10

canonical ubuntu linux 12.04

canonical ubuntu linux 14.10

canonical ubuntu linux 14.04

Vendor Advisories

Ubuntu Security Notice: openvpn vulnerability
OpenVPN could be made to crash if it received specially crafted network traffic ...
Debian Security Advisories: DSA-3084-1 openvpn -- security update
Dragana Damjanovic discovered that an authenticated client could crash an OpenVPN server by sending a control packet containing less than four bytes as payload For the stable distribution (wheezy), this problem has been fixed in version 221-8+deb7u3 For the unstable distribution (sid), this problem has been fixed in version 234-5 We recommen ...
Amazon Linux AMI: ALAS-2014-459
OpenVPN 2x before 2011, 21x, 22x before 223, and 23x before 236 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet ...

Recent Articles

OpenVPN plugs DoS hole
The Register • Darren Pauli • 02 Dec 2014

VPN providers patch! Everyone else relax.

OpenVPN has patched a denial-of-service vulnerability which authenticated users could trigger by sending malicious packets. The flaw (CVE-2014-8104) is most hurtful to VPN service providers and was reported by researcher Dragana Damjanovic to OpenVPN last month. Maintainers said in an advisory issued this morning that the flaw affected versions back to at least 2005 and allowed TLS-authenticated clients to crash the server by sending a too-short control channel packet to the server. "In other wo...

Read more...

References

CWE-399http://www.debian.org/security/2014/dsa-3084https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732bhttp://www.ubuntu.com/usn/USN-2430-1http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00008.htmlhttp://advisories.mageia.org/MGASA-2014-0512.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:139https://nvd.nist.govhttps://usn.ubuntu.com/2430-1/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-0044client sideCVE-2021-47601deserializationCVE-2024-34994encryptionCVE-2021-47609CVE-2024-37079CVE-2024-38608
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook