Shellshocking OpenVPN servers
OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth.
When we discovered this last week we contacted security@openvpn.net as well as many of our colleagues. Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone. If you were affected but not informed I apologize.
Cheers, Fredrik Strömberg (stromberg@mullvad.net)
6 comments
[ 3.2 ms ] story [ 25.7 ms ] threadMaybe if you had posted it as a blogpost somewhere and titled it "Privacy slammed by bash bug, vpn servers kernel wormable" then it would have received attention, like the other gazillion rude titles.
Nice find. Any other vectors for vpn servers besides the pre-auth user-pass-verify one described above?
I know openvpn can be configured to run some script when client is up or down, and I guess the openvpn server can also exploit a client by passing it dhcp-options which it most probably passess to ifup-down-scripts as env vars. But at least for clients there is script-security setting.
https://github.com/mubix/shellshocker-pocs/pull/14