Hi, it's same on 2.6 version: Subject: Possible DoS Vulnerability - OpenVPN Server Showing Repeated TLS Handshake Failures
Dear OpenVPN Security Team, I am writing to report a potential vulnerability to Denial-of-Service (DoS) attacks that I have observed in an OpenVPN server's logs. The server is exhibiting consistent TLS handshake failures, resulting in repeated process restarts. While the exact cause isn't immediately apparent, the symptoms strongly suggest a vulnerability to an attack vector that overwhelms the server with unsuccessful connection attempts. The logs demonstrate repeated errors of the form: "TLS key negotiation failed to occur within 5 seconds (check your network connectivity)" and "TLS handshake failed," followed by automatic server restarts. The server appears to be attempting to mitigate by increasing the restart delay with each failure, but this is only a temporary workaround, and the underlying issue persists. The observed behavior is highly suggestive of a DoS attack, where an attacker is attempting to exhaust server resources by triggering multiple failed TLS handshakes. This, along with the server automatically restarting in response, suggests a DoS mitigation procedure is in place that can only temporarily avoid service outages. While I do not have direct access to the server configuration or the full scope of logs, I believe the behavior described poses a significant security risk. I have attached the partial log file demonstrating the repeated errors. I would greatly appreciate it if you could investigate this potential vulnerability and provide any guidance or recommendations for strengthening the server's resilience against this type of attack. If further information is needed, please do not hesitate to ask. Sincerely, Netanel בתאריך יום ו׳, 15 בנוב׳ 2024 ב-17:30 מאת Arne Schwabe <a...@rfc2549.org >: > Am 15.11.24 um 13:56 schrieb נתי שטרן: > > I pentested openvpn 2.4 on client and I need to write cve on TLS Key > > Negotiation Timeout Leading to DoS on 2.4 version > > > You are free to publish your finding but they do not qualify for a CVE > for two reasons > > - currently only proven that an EOL version affected > - the reported behaviour is expected behaviour and we do not see any > security problems/implication in that behaviour, so no security problem, > no CVE. > -- <https://netanel.ml>
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
