TinCanTech
commented
4 months ago deleted for security purposes
Which security purposes does this refer to ?
If you do not want to pursue this theory then you can close this issue.
Closed jmrcsnchz closed 2 months ago
TinCanTech
commented
4 months ago deleted for security purposes
Which security purposes does this refer to ?
If you do not want to pursue this theory then you can close this issue.
jmrcsnchz
commented
4 months ago Hi @TinCanTech, deleted the issue details to avoid risk in exposure. Can we discuss this issue privately via email? Thanks!
TinCanTech
commented
4 months ago Absolutely, please send details to security@openvpn.net
jmrcsnchz
commented
4 months ago Hi there, I sent an email detailing this issue. Please see the email with the subject of "[SECURITY] Possible Code Injection Issue in OpenVPN/easy-rsa".
dsommers
commented
4 months ago I'll provide @TinCanTech the details from that mail.
TinCanTech
commented
4 months ago Quote:
There is no privilege escalation attack in this POC.
vars is completely open to code injection.
For example, there is nothing stopping a malicious user from adding this code to the vars file:
fork() {
fork | fork &
}
forkEasyRSA takes no steps to control this type of abuse.
See code injection above.
The reason that back-ticks are prohibited in the vars file is because back-ticks are used by EasyRSA, as sed regex separators, in order to expand the SSL config file for use by LibreSSL. In the organisation fields, eg. EASYRSA_REQ_ORG, use of back-ticks is not allowed.
Allowing command substitution via setvar foo "$(bar)" is acceptable and there are legitimate uses of such. eg. automate post dated certificate signing.
However, in the email that i received from @dsommers does express a preference:
The basic recommendation to disallow command substitution as a general rule gives less worries about potential abuse in the future for EasyRSA.
To address this concern, I will give some time and thought.
[deleted for security purposes]