OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 03 2006 05:12PM
c0redump ackers org uk (2 replies)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 04 2006 07:31PM
Joachim Schipper (j schipper math uu nl) (2 replies)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 05 2006 01:18PM
c0redump ackers org uk (1 replies)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 08 2006 01:13AM
Giancarlo Razzolini (linux-fan onda com br)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 05 2006 04:07AM
Kurt Seifried (bt seifried org)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 03 2006 08:14PM
David F. Skoll (devnull roaringpenguin com)
c0redump (at) ackers.org (dot) uk [email concealed] wrote:

> There is a flaw (well more a stupid design than anything else) in
> OpenVPN 2.0.7 (and below) in the the Remote Management Interface
> that allows an attacker to gain complete control because there is NO
> AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).

One important mitigating factor: The management interface is not enabled
by default. I agree that it's a really stupid design, though.

Regards,

David.
(Return address set to devnull to swallow silly Bugtraq
out-of-office messages. Real address is dfs at ...)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus