Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30937
HistoryJul 21, 2014 - 12:00 a.m.

SEC Consult SA-20140716-1 :: Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client"

2014-07-2100:00:00
vulners.com
26
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140716-1 >

          title: Remote Code Execution via CSRF
        product: OpenVPN Access Server &quot;Desktop Client&quot;

vulnerable version: all
fixed version: not available
impact: critical
homepage: http://www.openvpn.net
found: 2014-05-12
by: Stefan Viehbock
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor description:

OpenVPN Technologies is a privately held company based in the Pleasanton,
California, integrating a suite of leading-edge networking and software
technologies.

Source: http://openvpn.net/index.php/about-menu/about-us.html

Business recommendation:

Remote attackers can execute arbitrary code and execute other attacks on
computers with the OpenVPN Access Server "Desktop Client" installed. Affected
users should upgrade immediately to the OpenVPN Connect client.

Taken from OpenVPNs advisory:
"This advisory only applies to the OpenVPN Access Server "Desktop Client" app
for Windows, and does not affect OpenVPN Connect, Private Tunnel, or community
builds of OpenVPN for Windows."

Vulnerability overview/description:

The OpenVPN Access Server "Desktop Client" consists of two parts, a Windows
service that offers an XML-RPC API via a webserver on localhost and a GUI
component that connects to this API.

The XML-RPC API is vulnerable to Cross-Site Request Forgery (CSRF). Using the
API commands an attacker can:

    • unmask a victim (e.g. by disconnecting an established VPN connection)
    • perform MITM attacks (by connecting the victim to an "evil" VPN server)
    • execute arbitrary code with SYSTEM privileges (by adding a VPN profile that
      executes code)

Proof of concept:

Detailed proof of concept exploits have been removed for this vulnerability.

A video demonstrating this issue has been released by SEC Consult:
https://www.youtube.com/watch?v=qhgysgfvQh8

Vulnerable / tested versions:

The vulnerabilities have been verified to exist in OpenVPN Access Server
"Desktop Client" version 1.5.6, which was the most recent version at the time
of discovery.
All other versions of the product are affected as well.

Vendor contact timeline:

2014-05-12: Opening ticket at https://openvpn.net and attaching exploit and
video.
2014-05-15: Vendor requests info about tested versions.
2014-05-15: Clarifying that tested version was obtained via
http://swupdate.openvpn.net/downloads/openvpn-client.msi
2014-05-20: Vendor requests info about PrivateTunnel client (mentioned in
initial advisory) and provides link to version with implemented
CSRF mitigations.
2014-05-21: Clarifying that PrivateTunnel might be affected and patch
validation is not covered.
[back and forth regarding whether PrivateTunnel is affected]
2014-07-01: Vendor announces that users should upgrade to OpenVPN Connect
client.
2014-07-16: SEC Consult releases coordinated security advisory.

Solution:

Upgrade to the OpenVPN Connect client.

More information can be found at:
http://openvpn.net/index.php/access-server/security-advisories.html

Workaround:

No workaround available.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to [email protected]

EOF Stefan Viehbock / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 &#40;MingW32&#41;
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTxl3WAAoJECyFJyAEdlkKLTQIAI5PpEVH7aMhma0an/asHl21
SH8G1iEVU5dYjaoNNmGdoKXz8TMm/2XA7OP+ny6pp9LJOAeWJwbmDbFTDpiwhdRO
sC3TBI2cAhJTZpLRA5xvby6kFBluDmuG5/DNEynkAopQ73mB7RoacR5IKIigMvX1
PQPMrAjtnagAYZrIfcsXLC/RDcTVm5S1QqCYjs6/UCA40TiC7mGiSRN8s8Yr3ffB
rqMUg8TG/Ul/0rM11fjapW/It/G15Ms5mzqamBVbVAT0mrHel12DrkZm59D49vwz
fjghvNJ4aAyoe/yQECsmIMHosDOEvG9MGK4Zin0o9/n0yT9Cc4G1EidD5OHx+54=
=sNMW
-----END PGP SIGNATURE-----
JSON