Letmein Connection Limiter Bypass Vulnerability Allowing Resource Exhaustion

A vulnerability exists in Letmein, an authenticating port knocker, in versions through 10.2.0. The issue arises from an incorrectly implemented connection limiter, which fails to restrict the number of simultaneous incoming connections across TCP, UDP, and Unix sockets for the 'letmeind' and 'letmeinfwd' services. As a result, the command line option 'num-connections' is ineffective, allowing an arbitrary number of concurrent connections. This flaw could lead to resource exhaustion, causing a denial-of-service condition where the Letmein services become less responsive or unresponsive.

Impact

Exploitation of this vulnerability can cause resource exhaustion, leading to a degraded or unresponsive state for the Letmein services.

Remediation

Users are advised to upgrade to Letmein version 10.2.1, where this vulnerability has been patched. For those unable to upgrade, it may be possible to limit active connections to the 'letmeind' port using a firewall, or to manage resource consumption with a service manager like systemd.