On Wed, May 03, 2006 at 06:12:35PM +0100, c0redump@xxxxxxxxxxxxx wrote: > Hi, > > There is a flaw (well more a stupid design than anything else) in OpenVPN > 2.0.7 (and below) in the the Remote Management Interface that allows an > attacker to gain complete control because there is NO AUTHENTICATION (YES NO > AUTHENTICATION AT ALL!). This can be carried out from within the LAN that > the OpenVPN server is running on, over the VPN itself or via the internet. > This happens because the management interface can be binded to an > internet accessible IP address. Not good! > The fix? Make sure you bind the remote management interface to 127.0.0.1 or > a local network address (however, the later will not stop you getting pwned > internally, obviously). > > A quote from the OpenVPN guys themselves: > > "The management protocol is currently cleartext without an explicit security > layer. For this reason, it is recommended that the management interface > either listen on localhost (127.0.0.1) or on the local VPN address. It's > possible to remotely connect to the management interface over the VPN > itself, though some capabilities will be limited in this mode, such as the > ability to provide private key passwords." > > "Future versions of the management interface may allow out-of-band > connections (i.e. not over the VPN) and secured with SSL/TLS." > > OMG *&$%*%# software vendors, please don't release stuff without > authentication! While this is arguably a misfeature, it's not like anyone reading the documentation wouldn't know about it, and you have to explicitly enable it. It does not seem too much of a problem to me. Joachim
