diff options
| author | Bernhard Schmidt <berni@debian.org> | 2021-04-28 16:47:06 +0200 |
|---|---|---|
| committer | Bernhard Schmidt <berni@debian.org> | 2021-04-28 16:47:06 +0200 |
| commit | c7528a75539f46a1b23d8c32ec83952fe095ae52 (patch) | |
| tree | 27184ca8d8d2898ea7ba27a27d83e34db0525c3d | |
| parent | a351f71e82badcc71a2ce881bbb97eccfcebc06b (diff) | |
Cherry-Pick upstream patches for CVE-2020-11810 and CVE-2020-15078
Closes: #987380
| -rw-r--r-- | debian/patches/CVE-2020-11810.patch | 65 | ||||
| -rw-r--r-- | debian/patches/CVE-2020-15078.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
3 files changed, 104 insertions, 0 deletions
diff --git a/debian/patches/CVE-2020-11810.patch b/debian/patches/CVE-2020-11810.patch new file mode 100644 index 0000000..466cf0c --- /dev/null +++ b/debian/patches/CVE-2020-11810.patch @@ -0,0 +1,65 @@ +From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 +From: Lev Stipakov <lev@openvpn.net> +Date: Wed, 15 Apr 2020 10:30:17 +0300 +Subject: [PATCH] Fix illegal client float (CVE-2020-11810) + +There is a time frame between allocating peer-id and initializing data +channel key (which is performed on receiving push request or on async +push-reply) in which the existing peer-id float checks do not work right. + +If a "rogue" data channel packet arrives during that time frame from +another address and with same peer-id, this would cause client to float +to that new address. This is because: + + - tls_pre_decrypt() sets packet length to zero if + data channel key has not been initialized, which leads to + + - openvpn_decrypt() returns true if packet length is zero, + which leads to + + - process_incoming_link_part1() returns true, which + calls multi_process_float(), which commits float + +Note that problem doesn't happen when data channel key is initialized, +since in this case openvpn_decrypt() returns false. + +The net effect of this behaviour is that the VPN session for the +"victim client" is broken. Since the "attacker client" does not have +suitable keys, it can not inject or steal VPN traffic from the other +session. The time window is small and it can not be used to attack +a specific client's session, unless some other way is found to make it +disconnect and reconnect first. + +CVE-2020-11810 has been assigned to acknowledge this risk. + +Fix illegal float by adding buffer length check ("is this packet still +considered valid") before calling multi_process_float(). + +Trac: #1272 +CVE: 2020-11810 + +Signed-off-by: Lev Stipakov <lev@openvpn.net> +Acked-by: Arne Schwabe <arne@rfc2549.org> +Acked-by: Antonio Quartulli <antonio@openvpn.net> +Acked-by: Gert Doering <gert@greenie.muc.de> +Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + src/openvpn/multi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c +index b42bcec97..056e3dc76 100644 +--- a/src/openvpn/multi.c ++++ b/src/openvpn/multi.c +@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst + orig_buf = c->c2.buf.data; + if (process_incoming_link_part1(c, lsi, floated)) + { +- if (floated) ++ /* nonzero length means that we have a valid, decrypted packed */ ++ if (floated && c->c2.buf.len > 0) + { + multi_process_float(m, m->pending); + } diff --git a/debian/patches/CVE-2020-15078.patch b/debian/patches/CVE-2020-15078.patch new file mode 100644 index 0000000..b3b9613 --- /dev/null +++ b/debian/patches/CVE-2020-15078.patch @@ -0,0 +1,37 @@ +From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <arne@rfc2549.org> +Date: Tue, 6 Apr 2021 00:05:21 +0200 +Subject: [PATCH] Ensure key state is authenticated before sending push reply + +This ensures that the key state is authenticated when sending +a push reply. +--- + src/openvpn/push.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/push.c b/src/openvpn/push.c +index 002be2332..52c6e8200 100644 +--- a/src/openvpn/push.c ++++ b/src/openvpn/push.c +@@ -652,6 +652,7 @@ int + process_incoming_push_request(struct context *c) + { + int ret = PUSH_MSG_ERROR; ++ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; + + #ifdef ENABLE_ASYNC_PUSH + c->c2.push_request_received = true; +@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c) + send_auth_failed(c, client_reason); + ret = PUSH_MSG_AUTH_FAILURE; + } +- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) ++ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED ++ && ks->authenticated ++ #ifdef ENABLE_DEF_AUTH ++ && !ks->auth_deferred ++ #endif ++ ) + { + time_t now; + diff --git a/debian/patches/series b/debian/patches/series index 8b19c3d..5ce43a5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,5 @@ match-manpage-and-command-help.patch spelling_errors.patch systemd.patch fix-pkcs11-helper-hang.patch +CVE-2020-11810.patch +CVE-2020-15078.patch |