diff options
| author | Bernhard Schmidt <berni@debian.org> | 2021-04-28 14:38:07 +0200 |
|---|---|---|
| committer | Bernhard Schmidt <berni@debian.org> | 2021-04-28 15:12:01 +0200 |
| commit | a398f557fd1320096e140f8ca297481ae75e12b3 (patch) | |
| tree | 120765e28976d039124f6962e2d2e7ee554e1b3c /debian/patches/CVE-2020-15078-3.patch | |
| parent | a8b5c8b8223889ccbb3f415ba206027a4f1b3b67 (diff) | |
CVE-2020-15078: Authentication bypass with deferred authentication
Overview
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass
authentication and access control channel data on servers configured
with deferred authentication, which can be used to potentially trigger
further information leaks.
Detailed description
This bug allows - under very specific circumstances - to trick a server
using delayed authentication (plugin or management) into returning a
PUSH_REPLY before the AUTH_FAILED message, which can possibly be used
to gather information about a VPN setup.
In combination with "--auth-gen-token" or a user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
Pre-Dependency:
CVE-2020-15078-0.patch: https://github.com/OpenVPN/openvpn/commit/14511010
CVE-Fix:
CVE-2020-15078-1.patch: https://github.com/OpenVPN/openvpn/commit/3aca477a
CVE-2020-15078-2.patch: https://github.com/OpenVPN/openvpn/commit/3d18e308
CVE-2020-15078-3.patch: https://github.com/OpenVPN/openvpn/commit/f7b3bf06
Closes: #987380
Diffstat (limited to 'debian/patches/CVE-2020-15078-3.patch')
| -rw-r--r-- | debian/patches/CVE-2020-15078-3.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/debian/patches/CVE-2020-15078-3.patch b/debian/patches/CVE-2020-15078-3.patch new file mode 100644 index 0000000..6d4414a --- /dev/null +++ b/debian/patches/CVE-2020-15078-3.patch @@ -0,0 +1,51 @@ +From f7b3bf067ffce72e7de49a4174fd17a3a83f0573 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <arne@rfc2549.org> +Date: Tue, 6 Apr 2021 00:14:47 +0200 +Subject: [PATCH] Ensure key state is authenticated before sending push reply + +This ensures that the key state is authenticated when sending +a push reply. + +This bug allows - under very specific circumstances - to trick a +server using delayed authentication (plugin or management) into +returning a PUSH_REPLY before the AUTH_FAILED message, which can +possibly be used to gather information about a VPN setup. + +In combination with "--auth-gen-token" or user-specific token auth +solutions it can be possible to get access to a VPN with an +otherwise-invalid account. + +CVE-2020-15078 has been assigned to acknowledge this risk. + +CVE: 2020-15078 +Signed-off-by: Arne Schwabe <arne@rfc2549.org> +Acked-by: Gert Doering <gert@greenie.muc.de> +Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net> +URL: non-public, embargoed +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + src/openvpn/push.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/push.c b/src/openvpn/push.c +index c47f4c8b6..2147aca0c 100644 +--- a/src/openvpn/push.c ++++ b/src/openvpn/push.c +@@ -732,6 +732,7 @@ int + process_incoming_push_request(struct context *c) + { + int ret = PUSH_MSG_ERROR; ++ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; + + if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED + || c->c2.tls_multi->multi_state == CAS_FAILED) +@@ -740,7 +741,8 @@ process_incoming_push_request(struct context *c) + send_auth_failed(c, client_reason); + ret = PUSH_MSG_AUTH_FAILURE; + } +- else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED) ++ else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED ++ && ks->authenticated == KS_AUTH_TRUE) + { + time_t now; + |