Bug 10125

Summary: openvpn new security issue CVE-2013-2061
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, oe, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/550934/
Whiteboard: has_procedure mga2-32-ok mga2-64-ok
Source RPM: openvpn-2.2.2-5.mga2.src.rpm CVE:
Status comment:
Attachments: /etc/openvpn/server.conf

Description David Walser 2013-05-16 19:16:43 CEST 
Fedora has issued an advisory on May 7:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html

Cauldron is not affected as it was fixed upstream in 2.3.1.

Patched package uploaded for Mageia 2.

Patch added in Mageia 1 SVN.

Advisory:
========================

Updated openvpn package fixes security vulnerability:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext
injection due to a non-constant-time HMAC comparison function. Plaintext
recovery may be possible using a padding oracle attack on the CBC mode cipher
implementation of the crypto library, optimistically at a rate of about one
character per 3 hours. PolarSSL seems vulnerable to such an attack; the
vulnerability of OpenSSL has not been verified or tested (CVE-2013-2061).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html
========================

Updated packages in core/updates_testing:
========================
openvpn-2.2.2-5.3.mga2

from openvpn-2.2.2-5.3.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-05-21 17:44:30 CEST 
Some info for testing here:
http://openvpn.net/index.php/open-source/documentation/howto.html
Comment 2 claire robinson 2013-05-21 20:07:17 CEST 
Testing mga2 64

# cp /usr/share/openvpn/sample-config-files/server.conf /etc/openvpn/
# cp /usr/share/openvpn/sample-keys/* /etc/openvpn/

Seems to be a problem with the systemd service file.

# service openvpn start
Starting openvpn (via systemctl):  Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details.                [FAILED]

# systemctl status openvpn.service
openvpn.service
          Loaded: error (Reason: Invalid argument)
          Active: inactive (dead)


Skipping the redirection to systemctl..

# service --skip-redirect openvpn start
Starting openvpn:                                   [  OK  ]

# ps aux | grep vpn
openvpn  26470  0.0  0.0  24052  1280 ?        Ss   19:05   0:00 /usr/sbin/openvpn --user openvpn --group openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2

# service --skip-redirect openvpn stop
Shutting down openvpn:                              [  OK  ]

# systemctl start openvpn.service
Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details.
claire robinson 2013-05-21 20:07:31 CEST

Whiteboard: (none) => feedback

Comment 3 claire robinson 2013-05-21 20:10:06 CEST 
Created attachment 4018 [details]
/etc/openvpn/server.conf

It's basically the sample server.conf with the user set to use openvpn:openvpn
Comment 4 David Walser 2013-05-21 20:39:49 CEST 
See Colin's comments in Bug 6291.

CC: (none) => mageia

Oden Eriksson 2013-05-22 10:55:02 CEST

CC: (none) => oe

Comment 7 claire robinson 2013-05-22 12:25:41 CEST 
Thanks David, so in this instance it should be..

# systemctl start openvpn@server.service

Trying again :)

Whiteboard: feedback => (none)

Comment 8 claire robinson 2013-05-22 13:51:29 CEST 
Testing complete mga2 32

# systemctl restart openvpn@server.service
# systemctl status openvpn@server.service
openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
          Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
          Active: active (running) since Wed, 22 May 2013 12:02:12 +0100; 4s ago
         Process: 17202 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
        Main PID: 17205 (openvpn)
          CGroup: name=systemd:/system/openvpn@.service/server
                  รข 17205 /usr/sbin/openvpn --daemon --writepid /var/run/openv...

May 22 12:02:12 laptop openvpn[17205]: GID set to openvpn
May 22 12:02:12 laptop openvpn[17205]: UID set to openvpn
May 22 12:02:12 laptop openvpn[17205]: Listening for incoming TCP connection ...94
May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link local (bound): [unde...94
May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link remote: [undef]
May 22 12:02:12 laptop openvpn[17205]: MULTI: multi_init called, r=256 v=256
May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL: base=10.8.0.4 size=62
May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL LIST
May 22 12:02:12 laptop openvpn[17205]: MULTI: TCP INIT maxclients=1024 maxeve...28
May 22 12:02:12 laptop openvpn[17205]: Initialization Sequence Completed


Confirmed it is running as openvpn user and listening for connections

# ps aux | grep vpn
openvpn  17350  0.0  0.0   5408  1060 ?        Ss   12:04   0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

# netstat -pan | grep 1194
udp    0    0 0.0.0.0:1194   0.0.0.0:*    17350/openvpn


Connecting to it..

# cp /usr/share/openvpn/sample-config-files/client.conf /etc/openvpn/

Edited /etc/openvpn/client.conf so it connects to localhost

# cd /etc/openvpn
# openvpn client.conf

Vefiried it connected ok and could be pinged from another terminal tab..

$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.057 ms

Whiteboard: (none) => has_procedure mga2-32-ok

Comment 9 claire robinson 2013-05-22 13:55:34 CEST 
Removing it gives an error but it doesn't leave anything behind in /lib/systemd/system/

# urpme openvpn
removing openvpn-2.2.2-5.3.mga2.i586
Failed to issue method call: Unit name openvpn@.service is not valid.
removing package openvpn-2.2.2-5.3.mga2.i586
Comment 10 claire robinson 2013-05-22 16:53:18 CEST 
Testing complete mga2 64

Validating

Advisory & srpm in comment 0

Could sysadmin please push from 2 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2013-05-25 21:43:51 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0153

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED