<<< Date Index >>>     <<< Thread Index >>>

Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw



c0redump@xxxxxxxxxxxxx wrote:
>> While this is arguably a misfeature, it's not like anyone reading the
>> documentation wouldn't know about it, and you have to explicitly enable
>> it. It does not seem too much of a problem to me.
> 
>> Joachim
> 
> Hi.
> 
> Of course it is, but it's hidden away nicely, and who reads
> documentation anyway eh? ;o)  ..certainly not a system administrator in
> a hurry to set up a VPN while being bitched at by his boss.  I thought
> I'd bring it to the attention of everyone on this list who may be
> running it, and didn't realise the implications.  If you want to bitch
> about something, bitch about these XSS attacks appearing on bugtraq
> relating to guestbook v1, etc. that about two people in the world use
> that doesn't include big organisations.  As opposed to OpenVPN - which
> is used by many, including some big organisations I'm guessing. 
> Additionally, they could have put warnings in the actual code, checks,
> even disable binding to a specific NIC.  However, as someone mentioned,
> they don't enable the interface by default - so we'll give them a blue
> peter badge for that.
> 
> Have a lovely day.
> 
> -- c0redump
> #hacktech @ undernet
> ps. thank you to the PGP girlies who gave me a free beer at infosec 2006
> - much love ;o)
> 
> 
People that don't read the documentation are the same that leave apache
web servers open, the same that set up open relay mail servers, and so
on. So actually reading the documentation is the right thing to do. The
management interface is an experimental feature, and it's not supposed
to be used on production sites. And further more, you can have
authentication. From the openvpn manual:

--management IP port [pw-file]
              Enable a TCP server on IP:port to handle daemon management
functions. pw-file,  if specified, is a password file (password on
        first line) or "stdin" to prompt from standard input.  The pass
             word  provided will set the password which TCP clients will
need          to provide in order to access management functions...

So, this is not a security flaw nor a design flaw, because it is an
EXPERIMENTAL feature. It is on the wish list for openvpn 2.1 to make it
use TLS/SSL. There is no point in your arguments. And, if you are so
worried about it, go use IPSec or even worse, use PPTP.

My 3 cents,
-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Attachment: signature.asc
Description: OpenPGP digital signature