summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/CVE-2020-11810.patch65
-rw-r--r--debian/patches/CVE-2020-15078.patch37
-rw-r--r--debian/patches/series2
3 files changed, 104 insertions, 0 deletions
diff --git a/debian/patches/CVE-2020-11810.patch b/debian/patches/CVE-2020-11810.patch
new file mode 100644
index 0000000..466cf0c
--- /dev/null
+++ b/debian/patches/CVE-2020-11810.patch
@@ -0,0 +1,65 @@
+From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
+From: Lev Stipakov <lev@openvpn.net>
+Date: Wed, 15 Apr 2020 10:30:17 +0300
+Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
+
+There is a time frame between allocating peer-id and initializing data
+channel key (which is performed on receiving push request or on async
+push-reply) in which the existing peer-id float checks do not work right.
+
+If a "rogue" data channel packet arrives during that time frame from
+another address and with same peer-id, this would cause client to float
+to that new address. This is because:
+
+ - tls_pre_decrypt() sets packet length to zero if
+ data channel key has not been initialized, which leads to
+
+ - openvpn_decrypt() returns true if packet length is zero,
+ which leads to
+
+ - process_incoming_link_part1() returns true, which
+ calls multi_process_float(), which commits float
+
+Note that problem doesn't happen when data channel key is initialized,
+since in this case openvpn_decrypt() returns false.
+
+The net effect of this behaviour is that the VPN session for the
+"victim client" is broken. Since the "attacker client" does not have
+suitable keys, it can not inject or steal VPN traffic from the other
+session. The time window is small and it can not be used to attack
+a specific client's session, unless some other way is found to make it
+disconnect and reconnect first.
+
+CVE-2020-11810 has been assigned to acknowledge this risk.
+
+Fix illegal float by adding buffer length check ("is this packet still
+considered valid") before calling multi_process_float().
+
+Trac: #1272
+CVE: 2020-11810
+
+Signed-off-by: Lev Stipakov <lev@openvpn.net>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/multi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index b42bcec97..056e3dc76 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
+ orig_buf = c->c2.buf.data;
+ if (process_incoming_link_part1(c, lsi, floated))
+ {
+- if (floated)
++ /* nonzero length means that we have a valid, decrypted packed */
++ if (floated && c->c2.buf.len > 0)
+ {
+ multi_process_float(m, m->pending);
+ }
diff --git a/debian/patches/CVE-2020-15078.patch b/debian/patches/CVE-2020-15078.patch
new file mode 100644
index 0000000..b3b9613
--- /dev/null
+++ b/debian/patches/CVE-2020-15078.patch
@@ -0,0 +1,37 @@
+From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Tue, 6 Apr 2021 00:05:21 +0200
+Subject: [PATCH] Ensure key state is authenticated before sending push reply
+
+This ensures that the key state is authenticated when sending
+a push reply.
+---
+ src/openvpn/push.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index 002be2332..52c6e8200 100644
+--- a/src/openvpn/push.c
++++ b/src/openvpn/push.c
+@@ -652,6 +652,7 @@ int
+ process_incoming_push_request(struct context *c)
+ {
+ int ret = PUSH_MSG_ERROR;
++ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
+
+ #ifdef ENABLE_ASYNC_PUSH
+ c->c2.push_request_received = true;
+@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c)
+ send_auth_failed(c, client_reason);
+ ret = PUSH_MSG_AUTH_FAILURE;
+ }
+- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
++ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
++ && ks->authenticated
++ #ifdef ENABLE_DEF_AUTH
++ && !ks->auth_deferred
++ #endif
++ )
+ {
+ time_t now;
+
diff --git a/debian/patches/series b/debian/patches/series
index 8b19c3d..5ce43a5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@ match-manpage-and-command-help.patch
spelling_errors.patch
systemd.patch
fix-pkcs11-helper-hang.patch
+CVE-2020-11810.patch
+CVE-2020-15078.patch