Bugtraq mailing list archives
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
From: Joachim Schipper <j.schipper () math uu nl>
Date: Thu, 4 May 2006 21:31:27 +0200
On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump () ackers org uk wrote:
Hi, There is a flaw (well more a stupid design than anything else) in OpenVPN 2.0.7 (and below) in the the Remote Management Interface that allows an attacker to gain complete control because there is NO AUTHENTICATION (YES NO AUTHENTICATION AT ALL!). This can be carried out from within the LAN that the OpenVPN server is running on, over the VPN itself or via the internet. This happens because the management interface can be binded to an internet accessible IP address. Not good!
The fix? Make sure you bind the remote management interface to 127.0.0.1 or a local network address (however, the later will not stop you getting pwned internally, obviously). A quote from the OpenVPN guys themselves: "The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords." "Future versions of the management interface may allow out-of-band connections (i.e. not over the VPN) and secured with SSL/TLS." OMG *&$%*%# software vendors, please don't release stuff without authentication!
While this is arguably a misfeature, it's not like anyone reading the documentation wouldn't know about it, and you have to explicitly enable it. It does not seem too much of a problem to me. Joachim
Current thread:
- OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw David F. Skoll (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Joachim Schipper (May 04)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Kurt Seifried (May 05)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 06)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Giancarlo Razzolini (May 10)