Bug 10125 - openvpn new security issue CVE-2013-2061
: openvpn new security issue CVE-2013-2061
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/550934/
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-16 19:16 CEST by David Walser
Modified: 2013-05-25 21:43 CEST (History)
4 users (show)

See Also:
Source RPM: openvpn-2.2.2-5.mga2.src.rpm
CVE:


Attachments
/etc/openvpn/server.conf (10.05 KB, application/octet-stream)
2013-05-21 20:10 CEST, claire robinson
Details

Description David Walser 2013-05-16 19:16:43 CEST
Fedora has issued an advisory on May 7:
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html

Cauldron is not affected as it was fixed upstream in 2.3.1.

Patched package uploaded for Mageia 2.

Patch added in Mageia 1 SVN.

Advisory:
========================

Updated openvpn package fixes security vulnerability:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext
injection due to a non-constant-time HMAC comparison function. Plaintext
recovery may be possible using a padding oracle attack on the CBC mode cipher
implementation of the crypto library, optimistically at a rate of about one
character per 3 hours. PolarSSL seems vulnerable to such an attack; the
vulnerability of OpenSSL has not been verified or tested (CVE-2013-2061).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html
========================

Updated packages in core/updates_testing:
========================
openvpn-2.2.2-5.3.mga2

from openvpn-2.2.2-5.3.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-05-21 17:44:30 CEST
Some info for testing here:
http://openvpn.net/index.php/open-source/documentation/howto.html
Comment 2 claire robinson 2013-05-21 20:07:17 CEST
Testing mga2 64

# cp /usr/share/openvpn/sample-config-files/server.conf /etc/openvpn/
# cp /usr/share/openvpn/sample-keys/* /etc/openvpn/

Seems to be a problem with the systemd service file.

# service openvpn start
Starting openvpn (via systemctl):  Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details.                [FAILED]

# systemctl status openvpn.service
openvpn.service
          Loaded: error (Reason: Invalid argument)
          Active: inactive (dead)


Skipping the redirection to systemctl..

# service --skip-redirect openvpn start
Starting openvpn:                                   [  OK  ]

# ps aux | grep vpn
openvpn  26470  0.0  0.0  24052  1280 ?        Ss   19:05   0:00 /usr/sbin/openvpn --user openvpn --group openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2

# service --skip-redirect openvpn stop
Shutting down openvpn:                              [  OK  ]

# systemctl start openvpn.service
Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details.
Comment 3 claire robinson 2013-05-21 20:10:06 CEST
Created attachment 4018 [details]
/etc/openvpn/server.conf

It's basically the sample server.conf with the user set to use openvpn:openvpn
Comment 4 David Walser 2013-05-21 20:39:49 CEST
See Colin's comments in Bug 6291.
Comment 7 claire robinson 2013-05-22 12:25:41 CEST
Thanks David, so in this instance it should be..

# systemctl start openvpn@server.service

Trying again :)
Comment 8 claire robinson 2013-05-22 13:51:29 CEST
Testing complete mga2 32

# systemctl restart openvpn@server.service
# systemctl status openvpn@server.service
openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
          Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
          Active: active (running) since Wed, 22 May 2013 12:02:12 +0100; 4s ago
         Process: 17202 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
        Main PID: 17205 (openvpn)
          CGroup: name=systemd:/system/openvpn@.service/server
                  └ 17205 /usr/sbin/openvpn --daemon --writepid /var/run/openv...

May 22 12:02:12 laptop openvpn[17205]: GID set to openvpn
May 22 12:02:12 laptop openvpn[17205]: UID set to openvpn
May 22 12:02:12 laptop openvpn[17205]: Listening for incoming TCP connection ...94
May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link local (bound): [unde...94
May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link remote: [undef]
May 22 12:02:12 laptop openvpn[17205]: MULTI: multi_init called, r=256 v=256
May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL: base=10.8.0.4 size=62
May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL LIST
May 22 12:02:12 laptop openvpn[17205]: MULTI: TCP INIT maxclients=1024 maxeve...28
May 22 12:02:12 laptop openvpn[17205]: Initialization Sequence Completed


Confirmed it is running as openvpn user and listening for connections

# ps aux | grep vpn
openvpn  17350  0.0  0.0   5408  1060 ?        Ss   12:04   0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

# netstat -pan | grep 1194
udp    0    0 0.0.0.0:1194   0.0.0.0:*    17350/openvpn


Connecting to it..

# cp /usr/share/openvpn/sample-config-files/client.conf /etc/openvpn/

Edited /etc/openvpn/client.conf so it connects to localhost

# cd /etc/openvpn
# openvpn client.conf

Vefiried it connected ok and could be pinged from another terminal tab..

$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.057 ms
Comment 9 claire robinson 2013-05-22 13:55:34 CEST
Removing it gives an error but it doesn't leave anything behind in /lib/systemd/system/

# urpme openvpn
removing openvpn-2.2.2-5.3.mga2.i586
Failed to issue method call: Unit name openvpn@.service is not valid.
removing package openvpn-2.2.2-5.3.mga2.i586
Comment 10 claire robinson 2013-05-22 16:53:18 CEST
Testing complete mga2 64

Validating

Advisory & srpm in comment 0

Could sysadmin please push from 2 core/updates_testing to core/updates

Thanks!
Comment 11 Thomas Backlund 2013-05-25 21:43:51 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0153

Note You need to log in before you can comment on or make changes to this bug.