Bugtraq mailing list archives
Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
From: "David F. Skoll" <devnull () roaringpenguin com>
Date: Wed, 03 May 2006 16:14:09 -0400
c0redump () ackers org uk wrote:
There is a flaw (well more a stupid design than anything else) in OpenVPN 2.0.7 (and below) in the the Remote Management Interface that allows an attacker to gain complete control because there is NO AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).
One important mitigating factor: The management interface is not enabled by default. I agree that it's a really stupid design, though. Regards, David. (Return address set to devnull to swallow silly Bugtraq out-of-office messages. Real address is dfs at ...)
Current thread:
- OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw David F. Skoll (May 03)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Joachim Schipper (May 04)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Kurt Seifried (May 05)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw c0redump (May 06)
- Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw Giancarlo Razzolini (May 10)