

Shellshocking OpenVPN servers - kfreds

OpenVPN servers are vulnerable to Shellshock under certain configurations.<p>OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is &quot;auth-user-pass-verify&quot;. If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth.<p>When we discovered this last week we contacted security@openvpn.net as well as many of our colleagues. Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone. If you were affected but not informed I apologize.<p>Cheers, Fredrik Strömberg (stromberg@mullvad.net)
======
antocv
Too bad this has been here for 10 hours and no upvotes or comments.

Maybe if you had posted it as a blogpost somewhere and titled it "Privacy
slammed by bash bug, vpn servers kernel wormable" then it would have received
attention, like the other gazillion rude titles.

Nice find. Any other vectors for vpn servers besides the pre-auth user-pass-
verify one described above?

I know openvpn can be configured to run some script when client is up or down,
and I guess the openvpn server can also exploit a client by passing it dhcp-
options which it most probably passess to ifup-down-scripts as env vars. But
at least for clients there is script-security setting.

~~~
atmosx
I think that's possible only if the client is configured to use OpenVPN for
DHCP.

------
logik13
What if the server is using certificate-based authentification ? Does the
'hacker' has to prsent a valid certificate to use shellshock or are there any
server-side shell script that might be called during the authentication
process ? I'm using endian firewall (v2.5 community, based on ipcop). I have
installed up-to-date bash version, but, you know, you're never sure !

------
jacksoncage
Did put in a pull-request with this info to "shellshocker-pocs" repo.

[https://github.com/mubix/shellshocker-
pocs/pull/14](https://github.com/mubix/shellshocker-pocs/pull/14)

~~~
tyleroderkirk
The repo now contains a link to a POC. [https://github.com/mubix/shellshocker-
pocs/commit/43592293f9...](https://github.com/mubix/shellshocker-
pocs/commit/43592293f973b92da1edd2933903e692193e794e)

------
nicandris
I have an OpenVPN server here, how do i test this?

