A security issue fixed in OpenVPN 2.3.9 has been reported on December 18: https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html Updated package uploaded for Mageia 5 (Cauldron was already updated). Advisory: ======================== Updated openvpn packages fix security vulnerability: OpenVPN versions before 2.3.9 contain an out of bounds read error in resolve_remote() in the file socket.c. With both IPv4 and IPv6 connections, OpenVPN will read a struct sockaddr_in6, but in the IPv4 case the data structure is smaller than in the IPv6 case. The openvpn package has been updated to version 2.3.9, fixing this issue and several other bugs. See the upstream Changelog for details. References: https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.9 ======================== Updated packages in core/updates_testing: ======================== openvpn-2.3.9-1.mga5 libopenvpn-devel-2.3.9-1.mga5 from openvpn-2.3.9-1.mga5.src.rpm Reproducible: Steps to Reproduce:
[root@localhost sbin]# openvpn OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Test Crypto: ./openvpn --genkey --secret key ./openvpn --test-crypto --secret key This succeeded (see attachment after this post) Testing client/server. You've got to modify the sample configuration file vi /usr/share/openvpn/sample-config-files/loopback-server modify the following in that file: dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt I run it again [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server Sat Jan 9 10:46:41 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sat Jan 9 10:46:41 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sat Jan 9 10:46:41 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sat Jan 9 10:46:41 2016 Diffie-Hellman initialized with 2048 bit key Sat Jan 9 10:46:41 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible Sat Jan 9 10:46:41 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Sat Jan 9 10:46:41 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000 Sat Jan 9 10:46:41 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001 Next I have to edit the client side test configuration vi /usr/share/openvpn/sample-config-files/loopback-client Modify the following rows: ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/client.key cert /usr/share/openvpn/sample-keys/client.crt Now run the client: [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client Sat Jan 9 10:52:39 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sat Jan 9 10:52:39 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sat Jan 9 10:52:39 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sat Jan 9 10:52:39 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible Sat Jan 9 10:52:39 2016 Socket Buffers: R=[163840->163840] S=[163840->163840] Sat Jan 9 10:52:39 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001 Sat Jan 9 10:52:39 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000 Sat Jan 9 10:52:39 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=5b4c4dc9 e82cd17b Sat Jan 9 10:52:39 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sat Jan 9 10:52:39 2016 Validating certificate key usage Sat Jan 9 10:52:39 2016 ++ Certificate has key usage 00a0, expects 00a0 Sat Jan 9 10:52:39 2016 VERIFY KU OK Sat Jan 9 10:52:39 2016 Validating certificate extended key usage Sat Jan 9 10:52:39 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Jan 9 10:52:39 2016 VERIFY EKU OK Sat Jan 9 10:52:39 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sat Jan 9 10:52:39 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 9 10:52:39 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 9 10:52:39 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 9 10:52:39 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 9 10:52:39 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sat Jan 9 10:52:39 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000 This is running fine.
CC: (none) => brtians1
Created attachment 7328 [details] This was the sample crypto-key test
Whiteboard: (none) => MGA5-32-OK
Some other notes - I picked up my tests from the following URL: https://openvpn.net/index.php/open-source/documentation/install.html
MGA5-64bit (Virtualbox VM) [root@localhost sbin]# openvpn OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Ran the crypto testing [root@localhost sbin]# openvpn --genkey --secret key [root@localhost sbin]# openvpn --test-crypto --secret key testing succeeded testing client/server. You've got to modify the sample configuration file vi /usr/share/openvpn/sample-config-files/loopback-server modify the following in that file: dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt [root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server Sun Jan 10 07:20:34 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sun Jan 10 07:20:34 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sun Jan 10 07:20:34 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sun Jan 10 07:20:34 2016 Diffie-Hellman initialized with 2048 bit key Sun Jan 10 07:20:34 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible Sun Jan 10 07:20:34 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 10 07:20:34 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000 Sun Jan 10 07:20:34 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001 --server is running now modify the client per prior post and run the client. [root@localhost brian]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client Sun Jan 10 07:23:23 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015 Sun Jan 10 07:23:23 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Sun Jan 10 07:23:23 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit Sun Jan 10 07:23:23 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible Sun Jan 10 07:23:23 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jan 10 07:23:23 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001 Sun Jan 10 07:23:23 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000 Sun Jan 10 07:23:23 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=e87f2e6c 75af9f45 Sun Jan 10 07:23:23 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:23 2016 Validating certificate key usage Sun Jan 10 07:23:23 2016 ++ Certificate has key usage 00a0, expects 00a0 Sun Jan 10 07:23:23 2016 VERIFY KU OK Sun Jan 10 07:23:23 2016 Validating certificate extended key usage Sun Jan 10 07:23:23 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jan 10 07:23:23 2016 VERIFY EKU OK Sun Jan 10 07:23:23 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:23 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jan 10 07:23:23 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000 Sun Jan 10 07:23:24 2016 Initialization Sequence Completed Sun Jan 10 07:23:33 2016 TLS: soft reset sec=0 bytes=945/0 pkts=18/0 Sun Jan 10 07:23:33 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:33 2016 Validating certificate key usage Sun Jan 10 07:23:33 2016 ++ Certificate has key usage 00a0, expects 00a0 Sun Jan 10 07:23:33 2016 VERIFY KU OK Sun Jan 10 07:23:33 2016 Validating certificate extended key usage Sun Jan 10 07:23:33 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jan 10 07:23:33 2016 VERIFY EKU OK Sun Jan 10 07:23:33 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jan 10 07:23:33 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA seems to be working to me
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED