OpenVPN Denial-of-Service Vulnerability in Versions 2.6.1 to 2.6.13

A denial-of-service vulnerability has been identified in OpenVPN version 2.6.1 through 2.6.13, specifically in server mode using TLS-crypt-v2. Remote attackers can exploit this vulnerability by corrupting and replaying network packets during the early handshake phase, potentially causing the OpenVPN server to abort with an ASSERT() message. This issue does not affect OpenVPN clients.

Impact

Exploitation of this vulnerability can cause the OpenVPN server to crash, aborting the session with an ASSERT() error message.

Reproduction

To reproduce this vulnerability, a valid TLS-crypt-v2 client key is required. The vulnerability can be triggered by sending a specific combination of authenticated and malformed packets to the OpenVPN server during the early handshake phase, which can be done by observing a handshake with a valid TLS-crypt-v2 client key.

Remediation

Users can upgrade to OpenVPN version 2.6.14, which has been released and includes a critical security fix for this vulnerability.