From f7b3bf067ffce72e7de49a4174fd17a3a83f0573 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 6 Apr 2021 00:14:47 +0200 Subject: [PATCH] Ensure key state is authenticated before sending push reply This ensures that the key state is authenticated when sending a push reply. This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or user-specific token auth solutions it can be possible to get access to a VPN with an otherwise-invalid account. CVE-2020-15078 has been assigned to acknowledge this risk. CVE: 2020-15078 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: URL: non-public, embargoed Signed-off-by: Gert Doering --- src/openvpn/push.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index c47f4c8b6..2147aca0c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -732,6 +732,7 @@ int process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; + struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.tls_multi->multi_state == CAS_FAILED) @@ -740,7 +741,8 @@ process_incoming_push_request(struct context *c) send_auth_failed(c, client_reason); ret = PUSH_MSG_AUTH_FAILURE; } - else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED) + else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED + && ks->authenticated == KS_AUTH_TRUE) { time_t now;