The attack vector in OpenVPN is particularly dangerous because it’s pre-authenticated, putting all communication through a supposedly secure tunnel at risk:
OpenVPN servers are vulnerable to Shellshock under certain configurations.
OpenVPN has a number of configuration options that can call custom commands during different stages of the tunnel session. Many of these commands are called with environmental variables set, some of which can be controlled by the client. One option used for username+password authentication is “auth-user-pass-verify”. If the called script uses a vulnerable shell, the client simply delivers the exploit and payload by setting the username. This attack vector is pre-auth.
When we discovered this last week we contacted email@example.com as well as many of our colleagues. Given how many users could potentially be affected we reasoned that maximum utility would be achieved by giving VPN providers a heads up before warning everyone. If you were affected but not informed I apologize.
Fredrick Stromberg is cofounder of Mullvad, a Swedish VPN company.