OpenVPN Denial of Service Vulnerability

OpenVPN <2.3.6 discovered a vulnerability that allows authenticated clients to drop a VPN server remotely, i.e. perform a denial of service attack.
Vulnerability is the incorrect use of assert (): the server checks the minimum size of the control package from the client with this function, which is why the server will crash if it receives a control packet of less than 4 bytes length from the client.
It should be noted that to commit an attack, it is enough to establish communication through the control channel, i.e. in the case of TLS, TLS exchange itself. VPN providers that implement authentication using a login / password and a common TLS-key are subject to vulnerabilities even before the login and password are verified.

Vulnerability exists in all versions of OpenVPN of the second branch, i.e. starting at least since 2005. The OpenVPN 3 branch on which mobile clients are based is not affected by this vulnerability.

Either upgrade to version 2.3.6, or patch it to your version of OpenVPN.
')
Vulnerability assigned CVE-number CVE-2014-8104.

Security Announcement with vulnerability description
Post on the forum
CVE-2014-8104
Latest version of OpenVPN