Opened 3 years ago

Closed 9 months ago

#553 closed Bug / Defect (invalid)

Password validation broken in openvpn client

Reported by: ekapke Owned by:
Priority: blocker Milestone: release 2.4.1
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: Security
Cc:

Description

I notiiced this when we added two step authentication and accidentally typed the auth code after my password in the same box.

Platform OS X (10.10.3)
OpenVPN Connect 2.0.9.201

  1. From the task bar at the top, from the menu, choose 'Connect to 'vpn site
  2. UI Appears. In the password dialog, type your password.
  3. Before hitting connect, type any other garbage after your password.
  4. It will accept this as the password, and take you to the google authenticator dialog.
  5. Enter google authenticator code

Connected successfully.

This is a severe security bug.

It means the application is storing and validating the password in plain text!!!! It is then checking validating the user input against the length of the stored password, instead of the length of the user input.

Also, it reduces the available space for password guessers. My password might be password1 (example only, its not really my password), and if the attacker guesses password1234, password1<anything> they have access to the account.


Change History (3)

comment:1 Changed 3 years ago by Samuli Seppänen

What version of OpenVPN (or Access Server?) are you using on the server-side?

comment:2 Changed 9 months ago by Antonio

Version: OpenVPN 2.0.x (Community Ed)

comment:3 Changed 9 months ago by Antonio

Resolution: invalid
Status: newclosed

closing due to inactivity. If the problem is still there, please reopen this bug.

Note: See TracTickets for help on using tickets.