Vulnerabilities > CVE-2006-2229 - Denial-Of-Service vulnerability in Openvpn and Openvpn Access Server

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
PARTIAL
network
high complexity
openvpn
nessus

Summary

OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service.

Vulnerable Configurations

Part Description Count
Application
Openvpn
85

Nessus

NASL familyMisc.
NASL idOPENVPN_MANAGEMENT_INTERFACE_ACCESSIBLE.NASL
descriptionThe remote host is running OpenVPN, an open source SSL VPN. The version of OpenVPN installed on the remote host does not require authentication to access the server
last seen2020-06-01
modified2020-06-02
plugin id21330
published2006-05-08
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21330
titleOpenVPN Unprotected Management Interface
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21330);
  script_version("1.18");

  script_cve_id("CVE-2006-2229");

  script_name(english:"OpenVPN Unprotected Management Interface");
  script_summary(english:"Looks for banner of OpenVPN Management Interface");

 script_set_attribute(attribute:"synopsis", value:
"The remote VPN server can be managed remotely without authentication." );
 script_set_attribute(attribute:"description", value:
"The remote host is running OpenVPN, an open source SSL VPN. 

The version of OpenVPN installed on the remote host does not require
authentication to access the server's management interface.  An
attacker can leverage this issue to gain complete control over the
affected application simply by telneting in." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/432863/30/60/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/" );
 script_set_attribute(attribute:"solution", value:
"Disable the management interface or bind it only to a specific
address, such as 127.0.0.1." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:P");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/05/03");
 script_cvs_date("Date: 2018/11/15 20:50:23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value: "cpe:/a:openvpn:openvpn");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("find_service1.nasl");
  script_require_ports("Services/unknown", 7505);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");


# nb: there is no default port, but the documentation uses 7505.
if (thorough_tests && ! get_kb_item("global_settings/disable_service_discovery")  ) {
  port = get_unknown_svc(7505);
  if (!port) exit(0);
}
else port = 7505;
if (!port || !get_tcp_port_state(port)) exit(0);


# Check the server's banner.
banner = get_kb_item("Banner/"+port);
if (banner && "OpenVPN Management Interface Version" >< banner)
  security_warning(port);