Hi, On Tue, Nov 23, 2021 at 02:49:10PM +0100, Ralf Hildebrandt wrote: > Yeah, it's in german, but anyway: > https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-Software-6274101.html > > "An attacker can take leverage on this architecture and send the > config command from any application running on the local host machine > to force the back-end server into initializing a new open-VPN instance > with arbitrary open-VPN configuration. This could result in the > attacker achieving execution with privileges of a SYSTEM user."
The "SYSTEM user" part is only relevant if you actually run openvpn.exe
with elevated privileges, which has been discouraged since at least
2.4 - in our model, only the "openvpn interactive service" has SYSTEM
privileges, but openvpn.exe runs with the same privileges as the user
that is logged on.
So, it's not as bad, but you might still be able to mess up a local
user's VPN by getting their web browser to inject arbitrary crap
into the management interface...
> Are there any plans of protecting the management interface (i.e. on
> Windows-Client) using a random passwod, only known to the GUI &
> openvpn process?
... that said, looking into the openvpn gui sources, I find code that
does this...
/* Create a management interface password */
GetRandomPassword(c->manage.password, sizeof(c->manage.password) - 1);
/* Construct command line -- put log first */
_sntprintf_0(cmdline, _T("openvpn --log%ls \"%ls\" --config \"%ls\" "
"--setenv IV_GUI_VER \"%hs\" --setenv IV_SSO openurl,crtext --service %l
s 0 --auth-retry interact "
"--management %hs %hd stdin --management-query-passwords %ls"
the "stdin" part here tells openvpn.exe "read the management password
from stdin"...
/* Pass management password to OpenVPN process */
c->manage.password[sizeof(c->manage.password) - 1] = '\n';
WriteFile(hStdInWrite, c->manage.password, sizeof(c->manage.password), &
written, NULL);
... so it seems our code already does this: generate a random password,
and protect the management interface with it.
ceterum censeo: if you build a product that incorporates OpenVPN,
do not run it with SYSTEM privileges and without a password, but have
a look at how other people do it...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
