Mike Ireton

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.0.4 **Description** The issue allows remote attackers to cause a denial of service, potentially leading to a segmentation fault, by forcing an error status in the accept function call, resulting in a null dereference in an exception handler. Multiple vulnerabilities in the OpenVPN package can lead to breaches of confidentiality, integrity, and availability of protected information, and can be exploited remotely. **Recommendations** For OpenVPN versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenVPN service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.0.1 **Description** The issue allows remote attackers to cause a denial of service, specifically client disconnection, via a large number of failed authentication attempts. This can happen when OpenVPN is running with "verb 0" and without TLS authentication, causing the error to be processed by the wrong client. The vulnerability can be exploited remotely and may lead to disruption of protected information. **Recommendations** For OpenVPN versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider enabling TLS authentication to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.0.1 **Description** The issue allows remote authenticated attackers to cause a denial of service, specifically client disconnection, by sending a large number of packets that cannot be decrypted. This is due to OpenVPN's failure to properly flush the OpenSSL error queue when a packet cannot be decrypted by the server. Multiple vulnerabilities in the OpenVPN package may lead to disruption of protected information availability, and exploitation can be carried out remotely. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the number of undecryptable packets that can be sent to the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.0.1 **Description** The issue concerns multiple vulnerabilities in the OpenVPN package in Debian GNU/Linux, which can lead to disruption of protected information availability. These vulnerabilities can be exploited remotely. Specifically, when OpenVPN is running in "dev tap" Ethernet bridging mode, remote authenticated clients can cause a denial of service (memory exhaustion) by flooding the system with packets containing a large number of spoofed MAC addresses. **Recommendations** For OpenVPN versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "dev tap" mode to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.0.1 **Description** A race condition issue exists that can cause a denial of service, specifically a server crash, when multiple clients with the same client certificate establish simultaneous TCP connections. This issue can be exploited remotely. Multiple vulnerabilities in the OpenVPN package may lead to disruption of protected information availability. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the simultaneous TCP connections feature or restricting access to the OpenVPN server until the update is applied.