531070 – <kde-misc/plasma-nm-0.9.3.6: created OpenVPN connections vulnerable to MITM attack

Bug 531070 - <kde-misc/plasma-nm-0.9.3.6: created OpenVPN connections vulnerable to MITM attack

Summary: <kde-misc/plasma-nm-0.9.3.6: created OpenVPN connections vulnerable to MITM a...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-11-29 03:11 UTC by Richard Yao (RETIRED)
Modified:	2015-08-10 14:50 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Yao (RETIRED) gentoo-dev

2014-11-29 03:11:45 UTC

plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this on each boot:

Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

This issue has been around for years and is also present in kde-misc/networkmanagement. I had incorrectly thought that kde-misc/networkmanagement was dropped by upstream until I realized that it is the desktop version of this component and is still supported. Upstream has written a patch for kde-misc/plasma-nm in response to my bug report:

https://bugs.kde.org/show_bug.cgi?id=341069
http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950

I have filed an upstream bug against kde-misc/networkmanagement:

https://bugs.kde.org/show_bug.cgi?id=341387

I am inclined to file a separate security bug for kde-misc/networkmanagement, but I have decided to give upstream a week to respond first in the belief that the note here is sufficient. If the security team feels otherwise, please do not hesitate to file another bug and CC me.

Comment 1 Johannes Huber (RETIRED) gentoo-dev

2015-05-30 12:00:25 UTC

From upstream bug report this is fixed in 0.9.0.12 which is the only version in tree. Remove kde from cc then.

Comment 2 Johannes Huber (RETIRED) gentoo-dev

2015-05-30 12:00:57 UTC

(In reply to Johannes Huber from comment #1)
> From upstream bug report this is fixed in 0.9.0.12 which is the only version
> in tree. Remove kde from cc then.

Sorry wrong package

Comment 3 Michael Palimaka (kensington) gentoo-dev

2015-06-06 19:01:11 UTC

+  06 Jun 2015; Michael Palimaka <kensington@gentoo.org>
+  +plasma-nm-0.9.3.6.ebuild:
+  Version bump wrt bug #531070.

Comment 4 Johannes Huber (RETIRED) gentoo-dev

2015-07-17 21:19:06 UTC

Arches please stabilize =kde-misc/plasma-nm-0.9.3.6

Target: amd64 x86

Comment 5 Agostino Sarubbo gentoo-dev

2015-07-18 19:28:23 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2015-07-18 19:33:05 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Johannes Huber (RETIRED) gentoo-dev

2015-07-18 19:55:43 UTC

Thanks all. Cleanup done. Removing maintainer then.

+
+  18 Jul 2015; Johannes Huber <johu@gentoo.org>
+  -files/plasma-nm-0.9.3.5-openconnect.patch, -plasma-nm-0.9.3.5.ebuild:
+  Remove vulnerable version, bug #531070.
+

Comment 8 Yury German Gentoo Infrastructure

2015-07-19 20:37:05 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-08-10 14:50:15 UTC

GLSA Vote: No