Bugtraq: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw

From: "David F. Skoll" <devnull () roaringpenguin com>
Date: Wed, 03 May 2006 16:14:09 -0400

c0redump () ackers org uk wrote:

There is a flaw (well more a stupid design than anything else) in
OpenVPN 2.0.7 (and below) in the the Remote Management Interface
that allows an attacker to gain complete control because there is NO
AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).


One important mitigating factor: The management interface is not enabled
by default.  I agree that it's a really stupid design, though.

Regards,

David.
(Return address set to devnull to swallow silly Bugtraq
out-of-office messages.  Real address is dfs at ...)

By Date By Thread

Current thread:

OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw David F. Skoll (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Joachim Schipper (May 04)
  - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Kurt Seifried (May 05)
  - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 06)
    - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Giancarlo Razzolini (May 10)