Changes between Version 18 and Version 19 of CVE-2018-7544
- Timestamp:
- 03/22/18 08:08:54 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CVE-2018-7544
v18 v19 65 65 Not complying to these three simple points is considered a "you know what you are doing at your own risk" configuration. 66 66 67 It could also be argued that the management interface is enabled in configuration files provided by a VPN service provider or similar. Again, this is improper usage of OpenVPN if there are no management service process activating the core OpenVPN process. Any OpenVPN end-user need to get the configuration file from a well known and trusted source, if it has not already been installed by a system or network admin. OpenVPN itself cannot account for or try to protect users against using a configuration file from non-trusted source. Users using configurations from untrusted sources run a much higher risk on many other levels than the possibility to abuse the management interface. 68 67 It could also be argued that the management interface is enabled in configuration files provided by a VPN service provider or similar. Again, this is improper usage of OpenVPN if there are no management service process activating the core OpenVPN process. OpenVPN end-users should get the configuration file from a well-known and trusted source, if it has not already been installed by a system or network admin. OpenVPN itself cannot account for or try to protect users against using a configuration file from non-trusted source. Users who use OpenVPN configuration files downloaded from untrusted sources are taking much bigger risks than the possibility that their management interface gets abused. 69 68 70 69 === Conclusion ===