Am 16.11.2024 um 17:22 schrieb נתי שטרן:
Hi,
it's same on 2.6 version:
Subject: Possible DoS Vulnerability - OpenVPN Server Showing Repeated
TLS Handshake Failures
Dear OpenVPN Security Team,
I am writing to report a potential vulnerability to Denial-of-Service
(DoS) attacks that I have observed in an OpenVPN server's logs. The
server is exhibiting consistent TLS handshake failures, resulting in
repeated process restarts. While the exact cause isn't immediately
apparent, the symptoms strongly suggest a vulnerability to an attack
vector that overwhelms the server with unsuccessful connection attempts.
This is too vague to on.
The logs demonstrate repeated errors of the form: "TLS key negotiation
failed to occur within 5 seconds (check your network connectivity)"
and "TLS handshake failed," followed by automatic server restarts. The
server appears to be attempting to mitigate by increasing the restart
delay with each failure, but this is only a temporary workaround, and
the underlying issue persists.
Are they really server restarts are did you got confused by the logging
message and the internal message and naming of signals that looks
similar to a server restart? Also if you are claiming something like
this, please have the log lines in your mail and not only your
interpretation of them.
The observed behavior is highly suggestive of a DoS attack, where an
attacker is attempting to exhaust server resources by triggering
multiple failed TLS handshakes. This, along with the server
automatically restarting in response, suggests a DoS mitigation
procedure is in place that can only temporarily avoid service outages.
The earlier mails you sent to secur...@openvpn.net mentioned a OpenVPN
2.4.x version, which is vulnerable to a similar attack. But this has
been fixed and new versions feature a handshake cookie mechansim. See
the https://github.com/OpenVPN/openvpn/blob/master/Changes.rst and the
section "Cookie based handshake for UDP server".
While I do not have direct access to the server configuration or the
full scope of logs, I believe the behavior described poses a
significant security risk. I have attached the partial log file
demonstrating the repeated errors.
Without full scope of logs or server configuration, this is again very
circumstancial and vague.
I would greatly appreciate it if you could investigate this potential
vulnerability and provide any guidance or recommendations for
strengthening the server's resilience against this type of attack. If
further information is needed, please do not hesitate to ask.
You have not given anything that looks like a vulnerability and I
currently I dispute that you found a vulnerability. You have been given
already advise that you need to test/upgrade the OpenVPN version to
2.6.x instead of 2.4.x. Repeating your statements without providing the
details and extra information we asked from you does not make them more
true or gives us an extra incentive to look into them. In the opposite,
you will more annoy the developers and maintains like me and this is
also why this mail is already being written in a less friendly tone. The
statement that you would provide more infomration when asked but not did
not provide any of the extra information we asked that sentence and
promise sound extra hallow.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
