Bugtraq mailing list archives

Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw

From: "David F. Skoll" <devnull () roaringpenguin com>
Date: Wed, 03 May 2006 16:14:09 -0400

c0redump () ackers org uk wrote:

There is a flaw (well more a stupid design than anything else) in
OpenVPN 2.0.7 (and below) in the the Remote Management Interface
that allows an attacker to gain complete control because there is NO
AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).


One important mitigating factor: The management interface is not enabled
by default.  I agree that it's a really stupid design, though.

Regards,

David.
(Return address set to devnull to swallow silly Bugtraq
out-of-office messages.  Real address is dfs at ...)

Current thread:

OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw David F. Skoll (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Joachim Schipper (May 04)
  - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Kurt Seifried (May 05)
  - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 06)
    - Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Giancarlo Razzolini (May 10)