FreeBSD : openvpn -- LD_PRELOAD code execution on client through malicious or compromised server (be4ccb7b-c48b-11da-ae12-0002b3b60e4c)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Hendrik Weimer reports :

OpenVPN clients are a bit too generous when accepting configuration
options from a server. It is possible to transmit environment
variables to client-side shell scripts. There are some filters in
place to prevent obvious nonsense, however they don't catch the good
old LD_PRELOAD trick. All we need is to put a file onto the client
under a known location (e.g. by returning a specially crafted document
upon web access) and we have a remote root exploit. But since the
attack may only come from authenticated servers, this threat is
greatly reduced.

See also :

http://www.osreviews.net/reviews/security/openvpn-print
http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/message.php?msg_id=15298074
http://www.nessus.org/u?7134dc3e

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21505 (freebsd_pkg_be4ccb7bc48b11daae120002b3b60e4c.nasl)

Bugtraq ID:

CVE ID: CVE-2006-1629

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now