Vulnerabilities > CVE-2005-3393 - Remote Format String vulnerability in Openvpn and Openvpn Access Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitrary code via format string specifiers in a push of the dhcp-option command option.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-206.NASL description Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. Update : Packages are now available for Mandriva Linux 2006. last seen 2020-06-01 modified 2020-06-02 plugin id 20440 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20440 title Mandrake Linux Security Advisory : openvpn (MDKSA-2005:206-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:206. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20440); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-3393", "CVE-2005-3409"); script_xref(name:"MDKSA", value:"2005:206-1"); script_name(english:"Mandrake Linux Security Advisory : openvpn (MDKSA-2005:206-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. Update : Packages are now available for Mandriva Linux 2006." ); script_set_attribute( attribute:"solution", value:"Update the affected openvpn package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"openvpn-2.0.1-2.1.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6129FDC76462456DA3EF8FC3FBF44D16.NASL description James Yonan reports : A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client last seen 2020-06-01 modified 2020-06-02 plugin id 21438 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21438 title FreeBSD : openvpn -- arbitrary code execution on client through malicious or compromised server (6129fdc7-6462-456d-a3ef-8fc3fbf44d16) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(21438); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-3393"); script_name(english:"FreeBSD : openvpn -- arbitrary code execution on client through malicious or compromised server (6129fdc7-6462-456d-a3ef-8fc3fbf44d16)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "James Yonan reports : A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having 'pull' or 'client' in its configuration file (Credit: Vade79)." ); # http://www.securityfocus.com/archive/1/415293/30/0/threaded script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/415293/30/0/threaded" ); # http://openvpn.net/changelog.html script_set_attribute( attribute:"see_also", value:"https://openvpn.net/community-resources/changelog-for-openvpn-2-1/" ); # https://vuxml.freebsd.org/freebsd/6129fdc7-6462-456d-a3ef-8fc3fbf44d16.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?948a207d" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:openvpn"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/31"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"openvpn>=2.0<2.0.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200511-07.NASL description The remote host is affected by the vulnerability described in GLSA-200511-07 (OpenVPN: Multiple vulnerabilities) The OpenVPN client contains a format string bug in the handling of the foreign_option in options.c. Furthermore, when the OpenVPN server runs in TCP mode, it may dereference a NULL pointer under specific error conditions. Impact : A remote attacker could setup a malicious OpenVPN server and trick the user into connecting to it, potentially executing arbitrary code on the client last seen 2020-06-01 modified 2020-06-02 plugin id 20157 published 2005-11-07 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20157 title GLSA-200511-07 : OpenVPN: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-885.NASL description Several vulnerabilities have been discovered in OpenVPN, a free virtual private network daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3393 A format string vulnerability has been discovered that could allow arbitrary code to be executed on the client. - CVE-2005-3409 A NULL pointer dereferencing has been discovered that could be exploited to crash the service. last seen 2020-06-01 modified 2020-06-02 plugin id 22751 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22751 title Debian DSA-885-1 : openvpn - several vulnerabilities NASL family Windows NASL id OPENVPN_2_0_3.NASL description According to its self-reported version number, the version of OpenVPN server installed on the remote Windows host is version 2.0.x prior to 2.0.3. It is, therefore, affected by a remote command execution vulnerability in its DHCP component due to a format string vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with the privileges of the user running the server. last seen 2020-06-01 modified 2020-06-02 plugin id 128776 published 2019-09-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128776 title OpenVPN Server 2.0.x < 2.0.3 Remote Code Execution Vulnerability
References
- http://marc.info/?l=bugtraq&m=113081023121059&w=2
- http://openvpn.net/changelog.html
- http://secunia.com/advisories/17376
- http://secunia.com/advisories/17447
- http://secunia.com/advisories/17452
- http://secunia.com/advisories/17480
- http://www.debian.org/security/2005/dsa-885
- http://www.gentoo.org/security/en/glsa/glsa-200511-07.xml
- http://www.novell.com/linux/security/advisories/2005_25_sr.html
- http://www.securityfocus.com/archive/1/415487
- http://www.securityfocus.com/bid/15239
- http://www.vupen.com/english/advisories/2005/2255