17418 – openvpn new security issue fixed upstream in 2.3.9

Bug 17418 - openvpn new security issue fixed upstream in 2.3.9

Summary: openvpn new security issue fixed upstream in 2.3.9

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/669524/
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-12-29 19:40 CET by David Walser
Modified:	2016-01-12 10:15 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	openvpn-2.3.6-1.mga5.src.rpm
CVE:
Status comment:

Attachments
This was the sample crypto-key test (103.37 KB, text/plain) 2016-01-09 17:55 CET, Brian Rockwell	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-29 19:40:29 CET

A security issue fixed in OpenVPN 2.3.9 has been reported on December 18:
https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html

Updated package uploaded for Mageia 5 (Cauldron was already updated).

Advisory:
========================

Updated openvpn packages fix security vulnerability:

OpenVPN versions before 2.3.9 contain an out of bounds read error in
resolve_remote() in the file socket.c.  With both IPv4 and IPv6 connections,
OpenVPN will read a struct sockaddr_in6, but in the IPv4 case the data
structure is smaller than in the IPv6 case.

The openvpn package has been updated to version 2.3.9, fixing this issue and
several other bugs.  See the upstream Changelog for details.

References:
https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.9
========================

Updated packages in core/updates_testing:
========================
openvpn-2.3.9-1.mga5
libopenvpn-devel-2.3.9-1.mga5

from openvpn-2.3.9-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 Brian Rockwell 2016-01-09 17:53:22 CET

[root@localhost sbin]# openvpn
OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015


Test Crypto:

./openvpn --genkey --secret key
./openvpn --test-crypto --secret key

This succeeded (see attachment after this post)

Testing client/server.  You've got to modify the sample configuration file

vi /usr/share/openvpn/sample-config-files/loopback-server

modify the following in that file:

dh /usr/share/openvpn/sample-keys/dh2048.pem
ca /usr/share/openvpn/sample-keys/ca.crt
key /usr/share/openvpn/sample-keys/server.key
cert /usr/share/openvpn/sample-keys/server.crt

I run it again
[root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server
Sat Jan  9 10:46:41 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015
Sat Jan  9 10:46:41 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Sat Jan  9 10:46:41 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat Jan  9 10:46:41 2016 Diffie-Hellman initialized with 2048 bit key
Sat Jan  9 10:46:41 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible
Sat Jan  9 10:46:41 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Jan  9 10:46:41 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000
Sat Jan  9 10:46:41 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001

Next I have to edit the client side test configuration

vi /usr/share/openvpn/sample-config-files/loopback-client

Modify the following rows:

ca /usr/share/openvpn/sample-keys/ca.crt
key /usr/share/openvpn/sample-keys/client.key
cert /usr/share/openvpn/sample-keys/client.crt

Now run the client:

[root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client
Sat Jan  9 10:52:39 2016 OpenVPN 2.3.9 i586-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015
Sat Jan  9 10:52:39 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Sat Jan  9 10:52:39 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat Jan  9 10:52:39 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible
Sat Jan  9 10:52:39 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Jan  9 10:52:39 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001
Sat Jan  9 10:52:39 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000
Sat Jan  9 10:52:39 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=5b4c4dc9 e82cd17b
Sat Jan  9 10:52:39 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain
Sat Jan  9 10:52:39 2016 Validating certificate key usage
Sat Jan  9 10:52:39 2016 ++ Certificate has key usage  00a0, expects 00a0
Sat Jan  9 10:52:39 2016 VERIFY KU OK
Sat Jan  9 10:52:39 2016 Validating certificate extended key usage
Sat Jan  9 10:52:39 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jan  9 10:52:39 2016 VERIFY EKU OK
Sat Jan  9 10:52:39 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain
Sat Jan  9 10:52:39 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan  9 10:52:39 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  9 10:52:39 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan  9 10:52:39 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  9 10:52:39 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jan  9 10:52:39 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000


This is running fine.

CC: (none) => brtians1

Comment 2 Brian Rockwell 2016-01-09 17:55:12 CET

Created attachment 7328 [details]
This was the sample crypto-key test

Brian Rockwell 2016-01-09 17:55:58 CET

Whiteboard: (none) => MGA5-32-OK

Comment 3 Brian Rockwell 2016-01-09 17:59:43 CET

Some other notes - I picked up my tests from the following URL:

https://openvpn.net/index.php/open-source/documentation/install.html

Comment 4 Brian Rockwell 2016-01-10 14:24:48 CET

MGA5-64bit  (Virtualbox VM)

[root@localhost sbin]# openvpn
OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015


Ran the crypto testing

[root@localhost sbin]# openvpn --genkey --secret key
[root@localhost sbin]# openvpn --test-crypto --secret key

testing succeeded

testing client/server.  You've got to modify the sample configuration file

vi /usr/share/openvpn/sample-config-files/loopback-server

modify the following in that file:

dh /usr/share/openvpn/sample-keys/dh2048.pem
ca /usr/share/openvpn/sample-keys/ca.crt
key /usr/share/openvpn/sample-keys/server.key
cert /usr/share/openvpn/sample-keys/server.crt

[root@localhost sbin]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server
Sun Jan 10 07:20:34 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015
Sun Jan 10 07:20:34 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Sun Jan 10 07:20:34 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 10 07:20:34 2016 Diffie-Hellman initialized with 2048 bit key
Sun Jan 10 07:20:34 2016 WARNING: file '/usr/share/openvpn/sample-keys/server.key' is group or others accessible
Sun Jan 10 07:20:34 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jan 10 07:20:34 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16000
Sun Jan 10 07:20:34 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16001


--server is running

now modify the client per prior post and run the client.

[root@localhost brian]# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client
Sun Jan 10 07:23:23 2016 OpenVPN 2.3.9 x86_64-mageia-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 29 2015
Sun Jan 10 07:23:23 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Sun Jan 10 07:23:23 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 10 07:23:23 2016 WARNING: file '/usr/share/openvpn/sample-keys/client.key' is group or others accessible
Sun Jan 10 07:23:23 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jan 10 07:23:23 2016 UDPv4 link local (bound): [AF_INET]127.0.0.1:16001
Sun Jan 10 07:23:23 2016 UDPv4 link remote: [AF_INET]127.0.0.1:16000
Sun Jan 10 07:23:23 2016 TLS: Initial packet from [AF_INET]127.0.0.1:16000, sid=e87f2e6c 75af9f45
Sun Jan 10 07:23:23 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain
Sun Jan 10 07:23:23 2016 Validating certificate key usage
Sun Jan 10 07:23:23 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Jan 10 07:23:23 2016 VERIFY KU OK
Sun Jan 10 07:23:23 2016 Validating certificate extended key usage
Sun Jan 10 07:23:23 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 10 07:23:23 2016 VERIFY EKU OK
Sun Jan 10 07:23:23 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain
Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 10 07:23:23 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 10 07:23:23 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 10 07:23:23 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jan 10 07:23:23 2016 [Test-Server] Peer Connection Initiated with [AF_INET]127.0.0.1:16000
Sun Jan 10 07:23:24 2016 Initialization Sequence Completed
Sun Jan 10 07:23:33 2016 TLS: soft reset sec=0 bytes=945/0 pkts=18/0
Sun Jan 10 07:23:33 2016 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, emailAddress=me@myhost.mydomain
Sun Jan 10 07:23:33 2016 Validating certificate key usage
Sun Jan 10 07:23:33 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Jan 10 07:23:33 2016 VERIFY KU OK
Sun Jan 10 07:23:33 2016 Validating certificate extended key usage
Sun Jan 10 07:23:33 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 10 07:23:33 2016 VERIFY EKU OK
Sun Jan 10 07:23:33 2016 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server, emailAddress=me@myhost.mydomain
Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 10 07:23:33 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Jan 10 07:23:33 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 10 07:23:33 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

seems to be working to me

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Brian Rockwell 2016-01-10 14:25:25 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2016-01-12 06:40:01 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2016-01-12 10:15:04 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0010.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.