[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-devel] Possible security bug

  • Subject: Re: [Openvpn-devel] Possible security bug
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Mon, 03 Apr 2006 22:36:20 -0600


By default, the OpenVPN client doesn't accept pushed options from the server unless "pull" or "client" is specified. The idea is that once you agree to accept configuration info from the server, you are trusting (to a certain extent) in its integrity, so there are limits in how far the client can be protected against a server which successfully authenticates at the SSL/TLS level, but then turns out to be malicious.

But Hendrik has a point in that you might want that trust to be finer-grained -- you might want to accept routes pushed from a server, but not a setenv (which could potentially be abused).

The patch to remove setenv from the set of options which the client will accept from the server (when "pull" or "client" is specified is fairly simple.

Just go to the pull_permission_mask function in init.c and remove the OPT_P_SETENV flag from the mask.


Alberto Gonzalez Iniesta wrote:
Hi all,

I have just received the following bug report from the Debian Bug Track

From: Hendrik Weimer <hendrik@xxxxxxx>

As described in http://www.osreviews.net/reviews/security/openvpn
OpenVPN contains a security hole that allows a malicious VPN server to
take over connected clients.

OpenVPN allows to push environment variables to a client via 'push
setenv ...'. Using LD_PRELOAD it is possible to run arbitrary code as
root. The only prerequisite is that the attacker needs to control a
file on the victim's computer, e.g. by returning a specially crafted
document upon web access.

A possible solution would be to prefix all pushed environment
variables with something like 'OPENVPN_'.

What's your opinion on this?



Openvpn-devel mailing list