Vulnerability in OpenVPN
Two independent audit teams completed the verification of one of the most popular VPN clients today – OpenVPN. The researchers did not find any serious problems in the OpenVPN, and all small defects found by them were promptly eliminated by the developers. Then the representatives of OSTIF stated that “the corrections made to the OpenVPN meant that the world became safer when using this software.”
However, two audits do not mean that there are no bugs in the OpenVPN at all. So, this week, experts from Sydream Labs disclosed information about a vulnerability they discovered in the administrative interface of the OpenVPN as early as January 2017. Vulnerability allows you to steal someone else’s session, and then use it to access the OpenVPN-AS with the victim’s rights. If the victim had administrative privileges, the problem becomes even more serious –
The vulnerability was marked by the identifier CVE-2017-5868, but there is no patch for it yet. While there is still no fix, experts recommend using a Reverse Proxy function, which allows you to prevent the use of CRLF in the URI. Also, researchers advise to restrict or deny access to the web interface, at least by using white lists of IP addresses.