blob: 6d4414ad3566e6eb035ca26a9c60d63960761b34 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From f7b3bf067ffce72e7de49a4174fd17a3a83f0573 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 6 Apr 2021 00:14:47 +0200
Subject: [PATCH] Ensure key state is authenticated before sending push reply
This ensures that the key state is authenticated when sending
a push reply.
This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) into
returning a PUSH_REPLY before the AUTH_FAILED message, which can
possibly be used to gather information about a VPN setup.
In combination with "--auth-gen-token" or user-specific token auth
solutions it can be possible to get access to a VPN with an
otherwise-invalid account.
CVE-2020-15078 has been assigned to acknowledge this risk.
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/push.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index c47f4c8b6..2147aca0c 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -732,6 +732,7 @@ int
process_incoming_push_request(struct context *c)
{
int ret = PUSH_MSG_ERROR;
+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED
|| c->c2.tls_multi->multi_state == CAS_FAILED)
@@ -740,7 +741,8 @@ process_incoming_push_request(struct context *c)
send_auth_failed(c, client_reason);
ret = PUSH_MSG_AUTH_FAILURE;
}
- else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED)
+ else if (c->c2.tls_multi->multi_state == CAS_SUCCEEDED
+ && ks->authenticated == KS_AUTH_TRUE)
{
time_t now;
|