Dear OpenVPN Security Team,
This report describes a potential vulnerability impacting OpenVPN, version
2.6, exhibiting behavior indicative of denial-of-service (DoS) conditions.
The observed behavior strongly suggests a susceptibility to attacks that
exhaust server resources through repeated failed TLS handshakes, causing
frequent process restarts.
Observed Behavior: Consistent TLS handshake failures, resulting in
automatic server restarts, are observed. Log entries indicate escalating
restart delays (initially 80 seconds, then consistently 300 seconds),
demonstrating the server's attempt to mitigate this pattern but without
success.
Evidence: The attached log file (openvpn_log.txt - replace this with the
actual filename if you're sending it as an attachment) details these
repeated failures. Key entries include:
Repeated "TLS key negotiation failed to occur within 5 seconds (check
your network connectivity)" errors.
Corresponding "TLS handshake failed" errors.
SIGUSR1[soft,tls-error] signals, triggering server restarts.
Reproducibility: While we can't definitively prove reproducibility without
controlled testing, the consistent pattern, occurring even over extended
periods with incrementally increasing retry timeouts strongly suggest
either network unreliability combined with server inadequacies to handle
such errors gracefully, or a clear, repeatable exploitation approach
capable of inducing sustained stress on OpenVPN instances without actual
service outage.
Suspected Vulnerabilities: The observed behaviour suggests at least one of
the following:
Inefficient TLS Handshake Handling: The server may not efficiently
handle numerous failed handshake attempts, leading to resource exhaustion
under sustained pressure.
Vulnerability to a DoS Attack: The server might be susceptible to a DoS
attack where a malicious actor triggers numerous connection attempts that
consistently fail.
Mitigating Factors: The self-mitigation measures already apparent in the
server configuration include automatic restart after timeout. These
automatic retries, combined with increasingly long durations for the forced
pauses before restarting (80, then repeatedly 300 seconds) suggest attempts
to alleviate this behaviour. They fail consistently.
Analysis: The consistent failure rate combined with increased server pause
intervals indicates that a self-mitigation measure implemented by the
OpenVPN server processes appears not fully effective at recovering this.
The frequency, and repetition, is far more aligned with possible DoS
exploit capabilities and repeated attack attempts, far more than what could
be considered a networking error of sorts only, regardless of network
configuration changes attempted.
Client Configuration: The attached OpenVPN client configuration file
(openvpn_config.txt - again, use the correct filename) is provided for
context.
Additional Notes: The frequent WARNING: normally if you use --mssfix and/or
--fragment, you should also set --tun-mtu 1500 (currently it is 1450)
messages suggest potential MTU/MSS issues, which may be unrelated to this
main security risk issue or be an intrinsic cause instead. This would
require extensive and highly targeted tests to validate the implication.
Further investigation will be required.
We request your attention and an evaluation of this matter to establish if
it constitutes a vulnerability eligible for CVE assignment.
Sincerely,
Netanel
--
<https://netanel.ml>
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
