Sign in / up

back to article Last week: 'OpenVPN client is secure!'
This week: 'Unpatched bug in OpenVPN server'

French security outfit Sysdream has gone public with a vulnerability in the admin interface for OpenVPN's server. The finding is a bit awkward because it comes after OpenVPN's client got a clean bill of health in two independent security audits earlier this month. The attack, designated CVE-2017-5868, was published by …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    I think the headline is way off!

    OpenVPN consists of 3 components: OpenVPN Server, Admin Web interface / Admin UI and the Connect client. This comes straight from the quick start guide. This bug does not exist within the OpenVPN server, but with the web interface, which is a completely separate issue.

    If you're using OpenVPN then this doesn't imply that you're also using the web ui. I had even forgotten that it had a web interface to begin with, also because I never bothered to install it. On FreeBSD the OpenVPN server is known as security/openvpn, the web interface on the other hand is: security/openvpn-admin.

    And although you are right that we're basically using the exact same source tree there's another important detail to keep in mind... If you're using OpenVPN and compiled it from source then (from ./configure --help):

    --disable-management disable management server support [default=yes]

    So by default this service is disabled, only if you explicitly enabled it will it become a possible issue. Therefor I think the headline is all wrong: this has nothing to do with OpenVPN server, but all the more so with the OpenVPN management interface. Which isn't even used by default.

    40 1 Reply
    1. Outer mongolian custard monster from outer space (honest)
      Reply Icon

      Re: I think the headline is way off!

      Have a upvote, I was reading this article wondering what the hell it was going on about problems with the web server component, then I remembered some installs come with a web gui enabled.

      Sane defaults, I wonder which distro's ship with it enabled...

      6 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: I think the headline is way off!

      For your bedroom PC and lone user, maybe. Most business VPN deployment are more complex and rely on the admin interface as well. Guess OpenVPN commercial offerings as well.

      1 6 Reply

      1. This post has been deleted by its author

    3. Bill Michaelson
      Reply Icon

      Re: I think the headline is way off!

      Yeah, thanks. I read it and said to myself: "Whuh? OpenVPN has a web interface?"

      Relieved by your clarification. I carry on...

      6 0 Reply
  2. SJA

    OpenVPN AS != OpenVPN

    OpenVPN AS is the commercial version of OpenVPN. OpenVPN by default does not have a wui and I tend to think most home users, sme businesses will not use the AS version.

    8 0 Reply
  3. John Smith 19 Gold badge
    Unhappy

    What's the context?

    How long has the bug been present?

    How many others have been reported with this S/W?

    How does that compare with equivalent apps installed as part of commercial OS's?

    I'd suggest quite well but 90 days is a bit slow given how severe this seems.

    They seemed pretty good at fixing client issues but this seems worse.

    0 3 Reply
    1. John Smith 19 Gold badge
      Reply Icon
      Unhappy

      Wow. Just astonished at the down votes.

      So what's wrong with my logic?

      As man + dog should have realized by now software is not perfect. Some do a better job of writing it than others. I'm trying to get where on the scale of "rock solid" to "utter garbage" this software is.

      0 0 Reply
      1. CrazyOldCatMan Silver badge
        Reply Icon

        Re: Wow. Just astonished at the down votes.

        I'm trying to get where on the scale of "rock solid" to "utter garbage" this software is.

        Mostly rock-solid. As others have observed, the exploit is not in the server portion but in the admin UI. I don't know whether the admin UI was part of the code audited (I'd be surprised if it was).

        1 0 Reply
        1. John Smith 19 Gold badge
          Reply Icon
          Unhappy

          "Mostly rock-solid. "

          Which was sort of my point.

          Yes a serious security flaw is not good news, but how localized it is and how quickly it is dealt with by the developers is just as important.

          My impression is they have mostly been doing the right thing WRT to security.

          0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    From the article,

    The server's mistake is that it doesn't escape the carriage return/line feed (CR/LF) character combination.

    Sigh. Sounds like yet another weakly defined, poorly implemented and feebly validated protocol. Surely even the inclusion of a suitable reg-ex is de-rigeur these days?

    2 4 Reply
  5. Paul Woodhouse

    pfSense???

    So I'm quite right in thinking that the pfSense implementation of oVPN isn't affected by this one then?

    0 0 Reply
    1. sitta_europea Silver badge
      Reply Icon

      Re: pfSense???

      No idea. You should probably ask on the pfSense mailing list:

      http://lists.pfsense.org/mailman/listinfo/list

      0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: pfSense???

      "So I'm quite right in thinking that the pfSense implementation of oVPN isn't affected by this one then?"

      That is correct - pfSense has it's own web interface. It only uses the OpenVPN package itself.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like