Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)

VN-2017-75


OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target User's Session
Severity Rating: Medium
Systems Affected:
  • OpenVPN Access Server
Description
A vulnerability was reported in OpenVPN Access Server and can be exploited by remote attacker to conduct session fixation attacks to hijack a target user’s session. A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session.
 
Solution
Users are advised to update apply updates.
More information is available on:
 
CVE Information
 
Vendor Information
OpenVPN
 
References
Security Tracker
 
OpenVPN
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis