OpenVPN wasn’t immune to the Heartbleed vulnerability in OpenSSL, and it’s not going to sidestep Shellshock either.
Fredrick Stromberg, cofounder of Mullvad, a Swedish VPN company, reported that OpenVPN servers are vulnerable to Shellshock , the vulnerability in Bash plaguing Linux, UNIX and Mac OS X systems.
Stromberg said the attack vector in OpenVPN is particularly dangerous because it’s pre-authentication, putting all communication through a supposedly secure tunnel at risk.
“OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client,” Stromberg wrote in a post to Hacker News. “One option used for username+password authentication is ‘auth-user-pass-verify.’ If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username.”
Gert Doering, speaking on behalf of the OpenVPN open source community version, said that OpenVPN is vulnerable only on systems where /bin/sh points to /bin/bash, or if a script that runs using bash as an interpreter is called explicity.
“What you want to do from OpenVPN’s point of view is to ensure that you’re not using a 2.2.x version anymore, *and* that you just do not run your scripts using bash (“#!/bin/bash”) but use a shell that is better suited to script usage, like ash/dash,” Doering said. “Also, always use client certificates, as the username verification script that is the attack vector here is only called after successful verification of a client cert. And, of course, update your systems in a timely fashion.”
Stromberg said the discovery was disclosed to OpenVPN last week.
“Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone,” Stromberg wrote. “If you were affected but not informed I apologize.”
OpenVPN is an open source virtual private network software package. Request for comment on the availability of a fix or workarounds went unanswered prior to publication. Stromberg also discovered that OpenVPN was vulnerable to Heartbleed and that researchers were able to chain together several exploits in order to steal private keys.
Since the vulnerability in Bash (Bourne Again Shell) was disclosed last Wednesday, news has been fluid. There are now six distinct vulnerabilities that have been discovered, one as severe as the initial Bash flaw, but all merit watching. A number of patches have been produced, including two within the first 12 hours of discovery last week, and others from major vendors including Apple last night.
The vulnerability allows an attacker to take advantage of a vulnerability in the way Bash executes code attached to an environment variable. Google engineer Michal Zalewski, a prolific bug-hunter, urged administrators to apply a patch built by Red Hat engineer Florian Weimer or an upstream version adopted by Bash project engineer Chet Ramey, who pushed out Bash43-027.
“This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable’s contents to determine whether or not to interpret it as a shell function,” Ramey wrote in the patch advisory.
Zalewski wrote on his blog that he had discovered two new issues in Bash, one a remotely exploitable parsing issue that is exacerbated, he said, because Bash is not usually compiled with ASLR. The other vulnerability, the most severe so far, he said, permits remote code execution on systems that have been patched against the original vulnerability.
“It’s a ‘put your commands here’ type of a bug similar to the original report,” Zalewski wrote.
To date, a number of exploits have been reported, most of those just scanning the Internet looking for servers running vulnerable versions of Bash. One Perl bot discovered by AlienVault Labs opens a backdoor to a remote command and control server where more commands await. Experts speculate those exploits are trying to recruit bots to carry out DDoS attacks. Other exploits report system configuration data to a remote server or try to drop a remote shell on compromised machines.