There exists a number of variants of initial config command injection that can be exploited by an attacker. This includes but is not limited to sending an initial config command with remote username and password fields.

PerFact OpenVPN-Client versions 1.4.1.0 and prior to contain a security issue that can be exploited by an attacker to inject arbitrary config commands into the OpenVPN-Client daemon running on the target system. This attack can be accomplished by sending the user agent of the PerFact OpenVPN-Client daemon to the target system with the “--ping-restart” command line option. An attacker can send arbitrary config commands with remote username and password fields to the PerFact OpenVPN-Client daemon running on the target system. This can be accomplished by sending the user agent of the PerFact OpenVPN-Client daemon to the target system with the “--ping-restart” command line option. The PerFact OpenVPN-Client daemon on the target system will then attempt to restart the OpenVPN-Client daemon with the arbitrary config command injection. The security issue has been assigned with the PerFact PGP Key 9FDAB95B.

CVE-2022-27402

There exists a security issue in the method to parse the configuration file of OpenVPN-Client and PerFact OpenVPN-Client versions prior to 1.3.0 that can be exploited by an attacker on systems running Linux kernels with CONFIG_X86_32 disabled, which is present in certain distributions, including Ubuntu, CentOS and Debian. The issue is due to insufficient input validation when parsing the config file where all fields are not properly validated before being passed to the system call.

Vulnerability Screeshot

The vulnerability can be exploited by sending the user agent of the PerFact OpenVPN-Client daemon to the target system with the “--ping-restart” command line option. The PerFact OpenVPN-Client daemon on the target system will then attempt to restart the OpenVPN-Client daemon with arbitrary config command injection.

The vulnerability has been assigned with the PerFact PGP Key 9FDAB95B.

Vulnerability Analysis

The security issue is present in the PerFact OpenVPN-Client versions 1.4.1.0 and prior to, one of the most widely used VPN clients for Linux systems. This vulnerability can be exploited by an attacker to inject arbitrary config commands into the OpenVPN-Client daemon running on the target system with remote username and password fields.

PerFact have released a patch for this vulnerability which can be downloaded from their website.

Vendor Response

No further information is currently available.

Timeline

Published on: 10/14/2022 17:15:00 UTC
Last modified on: 10/18/2022 13:38:00 UTC

References