2018/03/16

OpenVPN: Remote Information Disclosure and Denial Of Service (CVE-2018-7544)

BACKGROUND
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[9] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.

DESCRIPTION
A cross-protocol issue was discovered in the management interface in OpenVPN through 2.4.4.
Remote attackers can interact with the OpenVPN service by triggering actions in a web browser to execute management commands, which could be used (for example) to leak sensitive information or silently crash the service.

PROOF OF CONCEPT
The management interface will try to execute every line as a command, so it is possible to send a multipart/form-data to keep a clean line with a controlled input which will be successfully executed as a command by the management interface. I've used the "signal SIGTERM" command to force the termination of the client, disconnecting the VPN without user notification, but any other command can be used. It is also possible to leak sensitive information like network interfaces configuration.

Here is the trivial PoC:
<html>
<body>
<form action="http://localhost:23000" method="post" enctype="multipart/form-data">
<textarea name="poc"> signal SIGTERM</textarea>
<input type="submit" value="Send">
</form>
</body>
</html>

The port can be brute forced (via multiple XMLHTTPRequest for example).

LIMITATIONS
Only one client can be connected to the management interface at same time.

SOLUTION
Force the user to set a password or to include a specific parameter (--management_insecure) if the interface is configured to use TCP without password.

VENDOR RESPONSE
Won't fix. They added some information to the man page recommending unix sockets instead of TCP.

DISCOVERED BY
Jose Antonio Pérez Piedra