OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.

According to its self-reported version number, the version of OpenVPN client installed on the remote Windows host is 2.0.x prior to 2.0.6. It is, therefore, affected by a remote command execution vulnerability. An unauthenticated remote attacker can exploit this by deploying a malicious OpenVPN server and executing code on clients' systems by using setenv with the LD_PRELOAD environment variable.

Hendrik Weimer discovered that OpenVPN, the Virtual Private Network daemon, allows to push environment variables to a client allowing a malicious VPN server to take over connected clients.

Hendrik Weimer reports :

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.

A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.

Updated packages have been patched to correct this issue by removing setenv support.

ID	Name	Product	Family	Severity
125643	OpenVPN Client 2.0.x < 2.0.6 Remote Code Execution Vulnerability	Nessus	Windows	high
22587	Debian DSA-1045-1 : openvpn - design error	Nessus	Debian Local Security Checks	high
21505	FreeBSD : openvpn -- LD_PRELOAD code execution on client through malicious or compromised server (be4ccb7b-c48b-11da-ae12-0002b3b60e4c)	Nessus	FreeBSD Local Security Checks	high
21206	Mandrake Linux Security Advisory : openvpn (MDKSA-2006:069)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2006-1629

critical

Tenable Plugins

high

high

high

high