OpenVPN Externally Shellshocked

Two days ago Fredrik Strömberg reported that OpenVPN, under certain configurations, made servers externally vulnerable to the Shellshock bug. The configuration problem stems from a number of options that call custom commands at different tunnel session stages. Upon calling many of these commands, environmental variables are set, with clients controlling some of them.

The command “auth-user-pass-verify” is one option used for username and password authentication that takes commands from the client. If the script being called uses a vulnerable bash shell then, “the client simply delivers the exploit and payload by setting the username” (Fredrik Strömberg).

The main issue here is that the attack is deliveried “pre-auth” and successful compromise will result in authenticated access to the OpenVPN server. Technical details of the attack can be found here.

To help understand this attack vector, we have created the following video that shows a successful exploit against OpenVPN: