pfSense

When performing operations using the OpenVPN status page (/status_openvpn.php) or the Dashboard widget (/widgets/widgets/openvpn.widget.php), user input from the remipp variable is sent to the OpenVPN management socket without validation. By manipulating the content of this variable it is possible to send additional arbitrary OpenVPN management commands through the management socket.

Output from the OpenVPN management commands is not returned to the user, but the commands can perform actions such as changing the log verboseness or causing the daemon to exit, resulting in a denial of service. Changes made using these commands do not persist across restarts of a OpenVPN daemons.

Values involved in these commands should be checked for proper form and rejected if they do not match the expected format. It may also be beneficial to strip newlines or other control characters from values being sent to the management socket.