Detections
Analytics

FreeBSD : openvpn -- LD_PRELOAD code execution on client through malicious or compromised server (be4ccb7b-c48b-11da-ae12-0002b3b60e4c)

high Nessus Plugin ID 21505

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Hendrik Weimer reports :

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.

Solution

Update the affected package.

See Also

http://www.osreviews.net/reviews/security/openvpn.print

https://openvpn.net/community-resources/changelog-for-openvpn-2-1/

https://sourceforge.net/p/gstreamer/mailman/message/15298074/

http://www.nessus.org/u?ed22276a

Plugin Details

Severity: High

ID: 21505

File Name: freebsd_pkg_be4ccb7bc48b11daae120002b3b60e4c.nasl

Version: 1.15

Type: local

Published: 5/13/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:openvpn, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 4/5/2006

Vulnerability Publication Date: 4/3/2006

Reference Information

CVE: CVE-2006-1629