lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 May 2006 21:31:27 +0200
From: Joachim Schipper <j.schipper@...h.uu.nl>
To: bugtraq@...urityfocus.com
Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw


On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump@...ers.org.uk wrote:
> Hi,
> 
> There is a flaw (well more a stupid design than anything else) in OpenVPN
> 2.0.7 (and below) in the the Remote Management Interface that allows an
> attacker to gain complete control because there is NO AUTHENTICATION (YES NO
> AUTHENTICATION AT ALL!).  This can be carried out from within the LAN that
> the OpenVPN server is running on, over the VPN itself or via the internet. 
> This happens because the management interface can be binded to an
> internet accessible IP address.  Not good!

> The fix?  Make sure you bind the remote management interface to 127.0.0.1 or
> a local network address (however, the later will not stop you getting pwned
> internally, obviously).
> 
> A quote from the OpenVPN guys themselves:
> 
> "The management protocol is currently cleartext without an explicit security
> layer.  For this reason, it is recommended that the management interface
> either listen on localhost (127.0.0.1) or on the local VPN address.  It's
> possible to remotely connect to the management interface over the VPN
> itself, though some capabilities will be limited in this mode, such as the
> ability to provide private key passwords."
> 
> "Future versions of the management interface may allow out-of-band
> connections (i.e. not over the VPN) and secured with SSL/TLS."
> 
> OMG *&$%*%# software vendors, please don't release stuff without
> authentication!

While this is arguably a misfeature, it's not like anyone reading the
documentation wouldn't know about it, and you have to explicitly enable
it. It does not seem too much of a problem to me.

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ