Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw

[Joachim Schipper <j.schipper () math uu nl>]

On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump () ackers org uk wrote:
> Hi,
>
> There is a flaw (well more a stupid design than anything else) in OpenVPN
> 2.0.7 (and below) in the the Remote Management Interface that allows an
> attacker to gain complete control because there is NO AUTHENTICATION (YES NO
> AUTHENTICATION AT ALL!).  This can be carried out from within the LAN that
> the OpenVPN server is running on, over the VPN itself or via the internet. 
> This happens because the management interface can be binded to an
> internet accessible IP address.  Not good!

> The fix?  Make sure you bind the remote management interface to 127.0.0.1 or
> a local network address (however, the later will not stop you getting pwned
> internally, obviously).
>
> A quote from the OpenVPN guys themselves:
>
> "The management protocol is currently cleartext without an explicit security
> layer.  For this reason, it is recommended that the management interface
> either listen on localhost (127.0.0.1) or on the local VPN address.  It's
> possible to remotely connect to the management interface over the VPN
> itself, though some capabilities will be limited in this mode, such as the
> ability to provide private key passwords."
>
> "Future versions of the management interface may allow out-of-band
> connections (i.e. not over the VPN) and secured with SSL/TLS."
>
> OMG *&$%*%# software vendors, please don't release stuff without
> authentication!

While this is arguably a misfeature, it's not like anyone reading the
documentation wouldn't know about it, and you have to explicitly enable
it. It does not seem too much of a problem to me.

                Joachim