OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 03 2006 05:12PM
c0redump ackers org uk (2 replies)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 04 2006 07:31PM
Joachim Schipper (j schipper math uu nl) (2 replies)
On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump (at) ackers.org (dot) uk [email concealed] wrote:
> Hi,
>
> There is a flaw (well more a stupid design than anything else) in OpenVPN
> 2.0.7 (and below) in the the Remote Management Interface that allows an
> attacker to gain complete control because there is NO AUTHENTICATION (YES NO
> AUTHENTICATION AT ALL!). This can be carried out from within the LAN that
> the OpenVPN server is running on, over the VPN itself or via the internet.
> This happens because the management interface can be binded to an
> internet accessible IP address. Not good!

> The fix? Make sure you bind the remote management interface to 127.0.0.1 or
> a local network address (however, the later will not stop you getting pwned
> internally, obviously).
>
> A quote from the OpenVPN guys themselves:
>
> "The management protocol is currently cleartext without an explicit security
> layer. For this reason, it is recommended that the management interface
> either listen on localhost (127.0.0.1) or on the local VPN address. It's
> possible to remotely connect to the management interface over the VPN
> itself, though some capabilities will be limited in this mode, such as the
> ability to provide private key passwords."
>
> "Future versions of the management interface may allow out-of-band
> connections (i.e. not over the VPN) and secured with SSL/TLS."
>
> OMG *&$%*%# software vendors, please don't release stuff without
> authentication!

While this is arguably a misfeature, it's not like anyone reading the
documentation wouldn't know about it, and you have to explicitly enable
it. It does not seem too much of a problem to me.

Joachim

[ reply ]
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 05 2006 01:18PM
c0redump ackers org uk (1 replies)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 08 2006 01:13AM
Giancarlo Razzolini (linux-fan onda com br)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 05 2006 04:07AM
Kurt Seifried (bt seifried org)
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw May 03 2006 08:14PM
David F. Skoll (devnull roaringpenguin com)


 

Privacy Statement
Copyright 2010, SecurityFocus