<<< Date Index >>>     <<< Thread Index >>>

Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw



On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump@xxxxxxxxxxxxx wrote:
> Hi,
> 
> There is a flaw (well more a stupid design than anything else) in OpenVPN
> 2.0.7 (and below) in the the Remote Management Interface that allows an
> attacker to gain complete control because there is NO AUTHENTICATION (YES NO
> AUTHENTICATION AT ALL!).  This can be carried out from within the LAN that
> the OpenVPN server is running on, over the VPN itself or via the internet. 
> This happens because the management interface can be binded to an
> internet accessible IP address.  Not good!

> The fix?  Make sure you bind the remote management interface to 127.0.0.1 or
> a local network address (however, the later will not stop you getting pwned
> internally, obviously).
> 
> A quote from the OpenVPN guys themselves:
> 
> "The management protocol is currently cleartext without an explicit security
> layer.  For this reason, it is recommended that the management interface
> either listen on localhost (127.0.0.1) or on the local VPN address.  It's
> possible to remotely connect to the management interface over the VPN
> itself, though some capabilities will be limited in this mode, such as the
> ability to provide private key passwords."
> 
> "Future versions of the management interface may allow out-of-band
> connections (i.e. not over the VPN) and secured with SSL/TLS."
> 
> OMG *&$%*%# software vendors, please don't release stuff without
> authentication!

While this is arguably a misfeature, it's not like anyone reading the
documentation wouldn't know about it, and you have to explicitly enable
it. It does not seem too much of a problem to me.

                Joachim