SSLVPN Client : Missing authentication on management interface (CVE-2021-31814)
Vulnerability details
Any user with local privileges can access OpenVPN’s managment interface. This could lead to a denial of service and information leak.
Impacted products
Revisions
Version |
Date |
Description |
v1 |
02/09/2021 |
Initial release |
Stormshield Network Security |
CVSS v3.1 Overall Score: 6.8 
|
Analysis
|
Impacted version
|
An attacker on the host could access OpenVPN’s managment interface. The interface can be used to read logs, show active connections status, or terminate VPN sessions.
|
|
Workaround solution
|
Solution
|
There is no workaround.
|
The 3.0.0 update fixes this vulnerability.
|
Attack Vector |
Attack Complexity |
Privileges Required |
User Interaction |
Scope |
Confidentiality Impact |
Integrity Impact |
Availability impact |
Local |
Low |
Low |
None |
Unchanged |
Low |
None |
High |
Exploit Code Maturity |
Remediation Level |
Report Confidence |
Proof of concept code |
Official fix |
Confirmed |
Confidentiality Requirement |
Integrity Requirement |
Availability Requirement |
High |
High |
High |