| VID |
23168 |
| Severity |
40 |
| Port |
7505 |
| Protocol |
TCP |
| Class |
Daemon |
| Detailed Description |
The OpenVPN management interface is configured to be accessed remotely without authentication. OpenVPN is an open-source SSL VPN. The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP socket. OpenVPN version 2.0.7 and earlier versions do not require authentication to access the server's remote management interface. This flaw could allow a remote attacker to view sensitive information or cause a denial of service.
* References:
http://openvpn.net/management.html
http://www.securityfocus.com/archive/1/432863/30/60/threaded
http://www.securityfocus.com/archive/1/archive/1/432863/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/432867/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/433000/100/0/threaded
* Platforms Affected:
OpenVPN Solutions LLC, OpenVPN version 2.0.7 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of May 2006.
As a workaround, disable the management interface or configure the management interface only to use a specific address, such as 127.0.0.1. |
| Related URL |
CVE-2006-2229 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
26284 (ISS) |
|
