openvpn -- arbitrary code execution on client through malicious or compromised server

ID 6129FDC7-6462-456D-A3EF-8FC3FBF44D16
Type freebsd
Reporter FreeBSD
Modified 2005-11-04T00:00:00


James Yonan reports:

A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79).