lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <445E9B53.1060503@onda.com.br>
Date: Sun, 07 May 2006 22:13:55 -0300
From: Giancarlo Razzolini <linux-fan@...a.com.br>
To: bugtraq@...urityfocus.com
Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface
 Flaw

c0redump@...ers.org.uk wrote:
>> While this is arguably a misfeature, it's not like anyone reading the
>> documentation wouldn't know about it, and you have to explicitly enable
>> it. It does not seem too much of a problem to me.
> 
>> Joachim
> 
> Hi.
> 
> Of course it is, but it's hidden away nicely, and who reads
> documentation anyway eh? ;o)  ..certainly not a system administrator in
> a hurry to set up a VPN while being bitched at by his boss.  I thought
> I'd bring it to the attention of everyone on this list who may be
> running it, and didn't realise the implications.  If you want to bitch
> about something, bitch about these XSS attacks appearing on bugtraq
> relating to guestbook v1, etc. that about two people in the world use
> that doesn't include big organisations.  As opposed to OpenVPN - which
> is used by many, including some big organisations I'm guessing. 
> Additionally, they could have put warnings in the actual code, checks,
> even disable binding to a specific NIC.  However, as someone mentioned,
> they don't enable the interface by default - so we'll give them a blue
> peter badge for that.
> 
> Have a lovely day.
> 
> -- c0redump
> #hacktech @ undernet
> ps. thank you to the PGP girlies who gave me a free beer at infosec 2006
> - much love ;o)
> 
> 
People that don't read the documentation are the same that leave apache
web servers open, the same that set up open relay mail servers, and so
on. So actually reading the documentation is the right thing to do. The
management interface is an experimental feature, and it's not supposed
to be used on production sites. And further more, you can have
authentication. From the openvpn manual:

--management IP port [pw-file]
              Enable a TCP server on IP:port to handle daemon management
functions. pw-file,  if specified, is a password file (password on
        first line) or "stdin" to prompt from standard input.  The pass
             word  provided will set the password which TCP clients will
need          to provide in order to access management functions...

So, this is not a security flaw nor a design flaw, because it is an
EXPERIMENTAL feature. It is on the wish list for openvpn 2.1 to make it
use TLS/SSL. There is no point in your arguments. And, if you are so
worried about it, go use IPSec or even worse, use PPTP.

My 3 cents,
-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ