Opened 9 years ago
Closed 6 years ago
#553 closed Bug / Defect (invalid)
Password validation broken in openvpn client
Reported by: | ekapke | Owned by: | |
---|---|---|---|
Priority: | blocker | Milestone: | release 2.4.1 |
Component: | OpenVPN Connect | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | Security |
Cc: |
Description
I notiiced this when we added two step authentication and accidentally typed the auth code after my password in the same box.
Platform OS X (10.10.3)
OpenVPN Connect 2.0.9.201
- From the task bar at the top, from the menu, choose 'Connect to 'vpn site
- UI Appears. In the password dialog, type your password.
- Before hitting connect, type any other garbage after your password.
- It will accept this as the password, and take you to the google authenticator dialog.
- Enter google authenticator code
Connected successfully.
This is a severe security bug.
It means the application is storing and validating the password in plain text!!!! It is then checking validating the user input against the length of the stored password, instead of the length of the user input.
Also, it reduces the available space for password guessers. My password might be password1 (example only, its not really my password), and if the attacker guesses password1234, password1<anything> they have access to the account.
Change History (3)
comment:1 Changed 9 years ago by
comment:2 Changed 6 years ago by
Version: | OpenVPN 2.0.x (Community Ed) |
---|
comment:3 Changed 6 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
closing due to inactivity. If the problem is still there, please reopen this bug.
What version of OpenVPN (or Access Server?) are you using on the server-side?