Hacker News new | past | comments | ask | show | jobs | submit login
Shellshocking OpenVPN servers
86 points by kfreds on Sept 29, 2014 | hide | past | favorite | 6 comments
OpenVPN servers are vulnerable to Shellshock under certain configurations.

OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is "auth-user-pass-verify". If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth.

When we discovered this last week we contacted security@openvpn.net as well as many of our colleagues. Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone. If you were affected but not informed I apologize.

Cheers, Fredrik Strömberg (stromberg@mullvad.net)

What if the server is using certificate-based authentification ? Does the 'hacker' has to prsent a valid certificate to use shellshock or are there any server-side shell script that might be called during the authentication process ? I'm using endian firewall (v2.5 community, based on ipcop). I have installed up-to-date bash version, but, you know, you're never sure !

Did put in a pull-request with this info to "shellshocker-pocs" repo.


I have an OpenVPN server here, how do i test this?

Too bad this has been here for 10 hours and no upvotes or comments.

Maybe if you had posted it as a blogpost somewhere and titled it "Privacy slammed by bash bug, vpn servers kernel wormable" then it would have received attention, like the other gazillion rude titles.

Nice find. Any other vectors for vpn servers besides the pre-auth user-pass-verify one described above?

I know openvpn can be configured to run some script when client is up or down, and I guess the openvpn server can also exploit a client by passing it dhcp-options which it most probably passess to ifup-down-scripts as env vars. But at least for clients there is script-security setting.

I think that's possible only if the client is configured to use OpenVPN for DHCP.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact