Last week: 'OpenVPN client is secure!'
This week: 'Unpatched bug in OpenVPN server'
And it's a nasty one if the user you crack has admin rights
French security outfit Sysdream has gone public with a vulnerability in the admin interface for OpenVPN's server.
The finding is a bit awkward because it comes after OpenVPN's client got a clean bill of health in two independent security audits earlier this month.
The attack, designated CVE-2017-5868, was published by Sysdream's Julien Boulet 90 days after the company says OpenVPN first acknowledged the issue.
While waiting for a fix, this OSS-SEC post suggests users put a reverse proxy between the server and the Internet, and restrict access to the Web interface.
The server's mistake is that it doesn't escape the carriage return/line feed (CR/LF) character combination. “Exploiting these vulnerabilities, we were able to steal a session from a victim and then access the application (OpenVPN-AS) with his rights.” the post says, adding that there are serious consequences if the victim is an administrator account.”
By opening the OpenVPN-AS application, the victim receives a valid session cookie pre-authentication. That session cookie can be set by the attacker using a malicious URL; and when the victim completes login, their profile and rights will be associated with the attacker's cookie.
In fairness, The Register notes that for such popular software with a big attack surface, OpenVPN has a fairly low turnover of security vulnerabilities. ®