CVE-2005-2531

Properties

Published:
23.08.2005
Updated:
20.10.2005
Patch available:
Severity:
Low
  • CVSS vector:
    (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N) Approximated
    Product:
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN
    OpenVPN: OpenVPN

    Vulnerability description

    OpenVPN before 2.0.1, when running with"verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and causes the error to be processed by the wrong client, which allows remote attackers to cause a denial of service (client disconnection) via a large number of failed authentication attempts.

    References:

    MANDRAKE: http://www.mandriva.com/security/advisories?name=MDKSA-2005:145
    DEBIAN: http://www.debian.org/security/2005/dsa-851
    http://openvpn.net/changelog.html: http://openvpn.net/changelog.html
    SECUNIA: http://secunia.com/advisories/16463
    SECUNIA: http://secunia.com/advisories/17103