Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitrary code via format string specifiers in a push of the dhcp-option command option.

According to its self-reported version number, the version of OpenVPN server installed on the remote Windows host is version 2.0.x prior to 2.0.3. It is, therefore, affected by a remote command execution vulnerability in its DHCP component due to a format string vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with the privileges of the user running the server.

Several vulnerabilities have been discovered in OpenVPN, a free virtual private network daemon. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-3393     A format string vulnerability has been discovered that     could allow arbitrary code to be executed on the client.

  - CVE-2005-3409     A NULL pointer dereferencing has been discovered that     could be exploited to crash the service.

James Yonan reports :

A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having 'pull' or 'client' in its configuration file (Credit: Vade79).

Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409).

The updated packages have been patched to correct these problems.

Update :

Packages are now available for Mandriva Linux 2006.

The remote host is affected by the vulnerability described in GLSA-200511-07 (OpenVPN: Multiple vulnerabilities)

    The OpenVPN client contains a format string bug in the handling of     the foreign_option in options.c. Furthermore, when the OpenVPN server     runs in TCP mode, it may dereference a NULL pointer under specific     error conditions.
  Impact :

    A remote attacker could setup a malicious OpenVPN server and trick     the user into connecting to it, potentially executing arbitrary code on     the client's computer. A remote attacker could also exploit the NULL     dereference issue by sending specific packets to an OpenVPN server     running in TCP mode, resulting in a Denial of Service condition.
  Workaround :

    Do not use 'pull' or 'client' options in the OpenVPN client     configuration file, and use UDP mode for the OpenVPN server.

ID	Name	Product	Family	Severity
128776	OpenVPN Server 2.0.x < 2.0.3 Remote Code Execution Vulnerability	Nessus	Windows	high
22751	Debian DSA-885-1 : openvpn - several vulnerabilities	Nessus	Debian Local Security Checks	high
21438	FreeBSD : openvpn -- arbitrary code execution on client through malicious or compromised server (6129fdc7-6462-456d-a3ef-8fc3fbf44d16)	Nessus	FreeBSD Local Security Checks	high
20440	Mandrake Linux Security Advisory : openvpn (MDKSA-2005:206-1)	Nessus	Mandriva Local Security Checks	high
20157	GLSA-200511-07 : OpenVPN: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2005-3393

critical

Tenable Plugins

high

high

high

high

high