Bug 26558 - openvpn new security issue CVE-2020-11810
Summary: openvpn new security issue CVE-2020-11810
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-32-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-28 03:51 CEST by David Walser
Modified: 2020-05-05 14:22 CEST (History)
4 users (show)

See Also:
Source RPM: openvpn-2.4.8-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-28 03:51:09 CEST 
Fedora has issued an advisory today (April 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/

The issue is fixed upstream in 2.4.9.

Mageia 7 is also affected.
David Walser 2020-04-28 03:51:30 CEST

Status comment: (none) => Fixed upstream in 2.4.9
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-04-28 04:13:20 CEST 
Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated openvpn packages fix security vulnerability:

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a
data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such
packets are dropped, but if this packet arrives before the data channel crypto
parameters have been initialized, the victim's connection will be dropped. This
requires careful timing due to the small time window (usually within a few
seconds) between the victim client connection starting and the server
PUSH_REPLY response back to the client. This attack will only work if
Negotiable Cipher Parameters (NCP) is in use (CVE-2020-11810).

The openvpn package has been updated to version 2.4.9, fixing the issue and
other bugs.  See the upstream release notes for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/
========================

Updated packages in core/updates_testing:
========================
openvpn-2.4.9-1.mga7
libopenvpn-devel-2.4.9-1.mga7

from openvpn-2.4.9-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.4.9 => (none)

Comment 2 Brian Rockwell 2020-05-01 21:04:40 CEST 
The following 4 packages are going to be installed:

- libobjc4-8.4.0-1.mga7.i586
- libopenvpn-devel-2.4.9-1.mga7.i586
- openvpn-2.4.9-1.mga7.i586
- perl-Authen-PAM-0.160.0-22.mga7.i586



# openvpn --genkey --secret key

# openvpn --test-crypto --secret key

blah blah blah ...
Fri May  1 09:54:31 2020 TESTING ENCRYPT/DECRYPT of packet length=1500
Fri May  1 09:54:31 2020 OpenVPN crypto self-test mode SUCCEEDED.


vi /usr/share/openvpn/sample-config-files/loopback-server

dh /usr/share/openvpn/sample-keys/dh2048.pem
ca /usr/share/openvpn/sample-keys/ca.crt
key /usr/share/openvpn/sample-keys/server.key
cert /usr/share/openvpn/sample-keys/server.crt
tls-auth /usr/share/openvpn/sample-keys/ta.key 0

vi /usr/share/openvpn/sample-config-files/loopback-client

Modify the following rows:

ca /usr/share/openvpn/sample-keys/ca.crt
key /usr/share/openvpn/sample-keys/client.key
cert /usr/share/openvpn/sample-keys/client.crt
tls-auth /usr/share/openvpn/sample-keys/ta.key 1


# NOW PROTECT THE FILES

# cd /usr/share/openvpn/sample-config-files
# chmod go-r loop*
# cd /usr/share/openvpn/sample-keys
# chmod go-r ta.key
# chmod go-r client.key

Then on one terminal I run the server:

# openvpn --config /usr/share/openvpn/sample-config-files/loopback-server

on the other terminal I run

# openvpn --config /usr/share/openvpn/sample-config-files/loopback-client


When the client starts I see this on the server

Fri May  1 14:00:36 2020 TLS: Initial packet from [AF_INET6]::1:16001, sid=20e7d1e0 6ad892ed

On the client I see

ri May  1 14:00:41 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri May  1 14:00:41 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May  1 14:00:41 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May  1 14:00:41 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:16000
Fri May  1 14:00:41 2020 Socket Buffers: R=[180224->180224] S=[180224->180224]
Fri May  1 14:00:41 2020 UDP link local (bound): [AF_INET]127.0.0.1:16001
Fri May  1 14:00:41 2020 UDP link remote: [AF_INET]127.0.0.1:16000

They seem to be goign through a series of connections

Seems to work.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-32-OK

Comment 3 Thomas Andrews 2020-05-04 16:59:34 CEST 
I've considered setting up a VPN from time to time, but every time I look into it I get hopelessly lost.

That said, I can certainly check the 64-bit version of this update for a clean install, which I did, Running "openvpn" from the command line gets me a very long and detailed list of options, so it would appear that part works, anyway.

Giving it the 64-bit OK based on that, and assuming Brian's 32-bit test will suffice for testing function.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK
Keywords: (none) => validated_update

Thomas Backlund 2020-05-05 12:08:31 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-05-05 14:22:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0195.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.