The researchers found a bug in OpenVPN, which missed two teams of auditors.
Immediately two independent audit teams completed the verification of one of the most popular VPN clients for today - OpenVPN. Then the researchers did not find any serious problems in OpenVPN, and the small defects found by them were promptly eliminated by the developers. Then representatives of OSTIF stated that "the corrections made to OpenVPN mean that the world becomes safer when using this software."
However, two conducted audits do not mean that there are no bugs in OpenVPN at all. So, this week, experts from Sydream Labs disclosed information about the vulnerability (http://seclists.org/oss-sec/2017/q2/332) they discovered in the administrative interface of OpenVPN as early as January 2017. Vulnerability allows you to steal someone else's session, and then use it to access OpenVPN-AS with victim rights. If the victim had administrative privileges, the problem becomes even more serious.
The vulnerability was identified by the identifier CVE-2017-5868, but there is no patch for it yet. While the fix does not appear, experts recommend using the Reverse Proxy function, which allows you to prevent the use of CRLF in the URI. Also, researchers advise to restrict or deny access to the web interface, at least by using white lists of IP addresses.