Bug 21780

Summary: openvpn new security issue CVE-2017-12166
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, bruno, davidwhodgins, digidietze, marja11, sysadmin-bugs, tmb, wilcal.int
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK
Source RPM: openvpn-2.4.3-2.mga7.src.rpm CVE:
Status comment:
Attachments: Patch against openvpn 2.4.3 to exploit CVE-2017-12166
Patch against openvpn 2.3.6 to exploit CVE-2017-12166

Description David Walser 2017-09-28 14:15:11 CEST 
An advisory has been issued today (September 28):
http://openwall.com/lists/oss-security/2017/09/28/2

The issue is fixed upstream in 2.4.4 and 2.3.18.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-09-28 14:15:23 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-09-28 23:39:40 CEST 
Assigning to the registered openvpn maintainer.

CC: (none) => marja11
Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2017-10-02 02:23:38 CEST 
I submitted packages for cauldron, 6 and 5.
(No advisory made for now)

Status: NEW => ASSIGNED

Comment 3 David Walser 2017-10-02 05:20:54 CEST 
Thanks Bruno!

Advisory:
========================

Updated openvpn packages fix security vulnerabilities:

The bounds check in read_key() was performed after using the value, instead
of before. If 'key-method 1' is used, this allowed an attacker to send a
malformed packet to trigger a stack buffer overflow. Note that 'key-method 1'
has been replaced by 'key method 2' as the default in OpenVPN 2.0
(CVE-2017-12166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
========================

Updated packages in core/updates_testing:
========================
openvpn-2.3.18-1.mga5
libopenvpn-devel-2.3.18-1.mga5
openvpn-2.4.4-1.mga6
libopenvpn-devel-2.4.4-1.mga6

from SRPMS:
openvpn-2.3.18-1.mga5.src.rpm
openvpn-2.4.4-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => bruno
Assignee: bruno => qa-bugs
Version: Cauldron => 6

Comment 4 William Kenney 2017-10-03 18:47:08 CEST 
Is there a How-To page on how to set up OpenVPN on Mageia? Thanks

CC: (none) => wilcal.int

Comment 5 William Kenney 2017-10-04 19:25:44 CEST 
How do you set up OpenVPN asked on Mageia forum.

https://forums.mageia.org/en/viewtopic.php?f=8&t=12033
Comment 6 Brian Rockwell 2017-10-05 21:35:05 CEST 
This may help as a simple test.

https://bugs.mageia.org/show_bug.cgi?id=18478#c2

CC: (none) => brtians1

Comment 7 Josua Dietze 2017-10-10 23:00:25 CEST 
I have created an exploit patch and tested on MGA6 x86_64, comparing openvpn-2.4.3-1.mga6.src.rpm with openvpn-2.4.4-1.mga6.src.rpm.

With this patch applied to the client part of a test installation (as described in the link of comment #6), the server part of 2.4.3 could be crashed on my system.

With 2.4.4. there was no crash, the fake key was contained.

I'm attaching the patch.

CC: (none) => digidietze

Comment 8 Josua Dietze 2017-10-10 23:01:42 CEST 
Created attachment 9716 [details]
Patch against openvpn 2.4.3 to exploit CVE-2017-12166
Comment 9 Josua Dietze 2017-10-10 23:06:58 CEST 
If I had the permission, I would add "MGA6-64-OK" to the whiteboard ...
Comment 10 Josua Dietze 2017-10-11 08:41:21 CEST 
Addendum:
Obviously (but not explicitly stated before) the test configurations for server and client must be appended with the parameter "key-method 1".
Josua Dietze 2017-10-11 12:52:56 CEST

Whiteboard: MGA5TOO => MGA5TOO, MGA6-64-OK

Josua Dietze 2017-10-13 21:38:35 CEST

Whiteboard: MGA5TOO, MGA6-64-OK => has_procedure, MGA5TOO, MGA6-64-OK

Comment 11 Josua Dietze 2017-10-16 21:33:26 CEST 
Test from comment #7 repeated for MGA6-32.

Same result - version 2.4.4 catches and contains the fake key.

Whiteboard: has_procedure, MGA5TOO, MGA6-64-OK => has_procedure, MGA5TOO, MGA6-32-OK, MGA6-64-OK

Comment 12 Josua Dietze 2017-10-16 22:50:24 CEST 
Created attachment 9733 [details]
Patch against openvpn 2.3.6 to exploit CVE-2017-12166

Slightly different format for MGA5
Comment 13 Josua Dietze 2017-10-16 22:56:16 CEST 
Test from comment #7 repeated for MGA5-64 with patch for version 2.3.6.

Version 2.3.6 crashes when receiving the fake key.
Version 2.3.18 catches and contains the fake key.


Test repeated for MGA5-32.

Same result.

Whiteboard: has_procedure, MGA5TOO, MGA6-32-OK, MGA6-64-OK => has_procedure, MGA6-32-OK, MGA6-64-OK, MGA5-32-OK, MGA5-64-OK

Josua Dietze 2017-10-17 21:22:13 CEST

Whiteboard: has_procedure, MGA6-32-OK, MGA6-64-OK, MGA5-32-OK, MGA5-64-OK => has_procedure MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK

Josua Dietze 2017-10-17 21:32:59 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2017-10-18 06:23:27 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2017-10-18 22:20:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0372.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 15 David Walser 2017-12-31 19:15:30 CET 
The Mageia 5 update was never pushed.  It is missing from the SVN advisory.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 16 David Walser 2017-12-31 19:17:32 CET 
SVN advisory fixed.  Please push openvpn-2.3.18-1.mga5 to core/updates.
Comment 17 Thomas Backlund 2018-01-01 18:29:55 CET 
openvpn-2.3.18-1.mga5 moved.

Resolution: (none) => FIXED
CC: (none) => tmb
Status: REOPENED => RESOLVED