David F. Skoll
04/05/06, 00:00
c0redump@ackers.org.uk wrote:
> There is a flaw (well more a stupid design than anything else) in
> OpenVPN 2.0.7 (and below) in the the Remote Management Interface
> that allows an attacker to gain complete control because there is NO
> AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).
One important mitigating factor: The management interface is not enabled
by default. I agree that it's a really stupid design, though.
Regards,
David.
(Return address set to devnull to swallow silly Bugtraq
out-of-office messages. Real address is dfs at ...)
> There is a flaw (well more a stupid design than anything else) in
> OpenVPN 2.0.7 (and below) in the the Remote Management Interface
> that allows an attacker to gain complete control because there is NO
> AUTHENTICATION (YES NO AUTHENTICATION AT ALL!).
One important mitigating factor: The management interface is not enabled
by default. I agree that it's a really stupid design, though.
Regards,
David.
(Return address set to devnull to swallow silly Bugtraq
out-of-office messages. Real address is dfs at ...)