Remote Code Execution via CSRF

SEC Consult Vulnerability Lab Security Advisory < 20140716-1 >

=======================================================================

title: Remote Code Execution via CSRF

product: OpenVPN Access Server "Desktop Client"

vulnerable version: all

fixed version: not available

impact: critical

homepage: www.openvpn.net

found: 2014-05-12

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

OpenVPN Technologies is a privately held company based in the Pleasanton,

California, integrating a suite of leading-edge networking and software

technologies.

 

Source: openvpn.net/index.php/about-menu/about-us.html

 

Business recommendation:

------------------------

Remote attackers can execute arbitrary code and execute other attacks on

computers with the OpenVPN Access Server "Desktop Client" installed. Affected

users should upgrade immediately to the OpenVPN Connect client.

 

Taken from OpenVPNs advisory:

"This advisory only applies to the OpenVPN Access Server "Desktop Client" app

for Windows, and does not affect OpenVPN Connect, Private Tunnel, or community

builds of OpenVPN for Windows."

 

 

Vulnerability overview/description:

-----------------------------------

The OpenVPN Access Server "Desktop Client" consists of two parts, a Windows

service that offers an XML-RPC API via a webserver on localhost and a GUI

component that connects to this API.

 

The XML-RPC API is vulnerable to Cross-Site Request Forgery (CSRF). Using the

API commands an attacker can:

- unmask a victim (e.g. by disconnecting an established VPN connection)

- perform MITM attacks (by connecting the victim to an "evil" VPN server)

- execute arbitrary code with SYSTEM privileges (by adding a VPN profile that

executes code)

 

 

Proof of concept:

-----------------

Detailed proof of concept exploits have been removed for this vulnerability.

 

A video demonstrating this issue has been released by SEC Consult:

www.youtube.com/watch

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in OpenVPN Access Server

"Desktop Client" version 1.5.6, which was the most recent version at the time

of discovery.

All other versions of the product are affected as well.

 

 

Vendor contact timeline:

------------------------

2014-05-12: Opening ticket at openvpn.net and attaching exploit and

video.

2014-05-15: Vendor requests info about tested versions.

2014-05-15: Clarifying that tested version was obtained via

swupdate.openvpn.net/downloads/openvpn-client.msi

2014-05-20: Vendor requests info about PrivateTunnel client (mentioned in

initial advisory) and provides link to version with implemented

CSRF mitigations.

2014-05-21: Clarifying that PrivateTunnel might be affected and patch

validation is not covered.

[back and forth regarding whether PrivateTunnel is affected]

2014-07-01: Vendor announces that users should upgrade to OpenVPN Connect

client.

2014-07-16: SEC Consult releases coordinated security advisory.

 

 

Solution:

---------

Upgrade to the OpenVPN Connect client.

 

More information can be found at:

openvpn.net/index.php/access-server/security-advisories.html

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF Stefan Viehböck / @2014