Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 468756 (CVE-2013-2061)

Summary: <net-misc/openvpn-2.3.1: ciphertext injection vulnerability in UDP mode (CVE-2013-2061)
Product: Gentoo Security Reporter: kfm
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexander, djc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 476034    

Description kfm 2013-05-06 12:59:49 UTC
"OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested."

Here's the full summary: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc

The vulnerability is not considered serious because a definitive attack vector relies on running OpenVPN with a null cipher. Nevertheless, I would suggest a stable push for 2.3.1 at the earliest opportunity.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-05-06 13:05:35 UTC
I'd be fine with that, but I'll leave it to the security team to decide. Note that we don't support PolarSSL in OpenVPN before 2.3.1.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-10 16:46:01 UTC
(In reply to comment #0)
> 
> The vulnerability is not considered serious because a definitive attack
> vector relies on running OpenVPN with a null cipher. Nevertheless, I would
> suggest a stable push for 2.3.1 at the earliest opportunity.

Agreed.

Arches, please test and mark stable:
=net-misc/openvpn-2.3.1
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux"
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-11 10:38:54 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-11 11:03:23 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-11 11:07:42 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-11 11:08:59 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-11 11:10:03 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-11 11:10:59 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-11 11:11:43 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-05-11 11:13:14 UTC
sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-11 17:21:33 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2013-05-26 06:43:44 UTC
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-06-09 16:02:44 UTC
sh stable
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:49:58 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-20 10:50:33 UTC
This issue was resolved and addressed in
 GLSA 201311-13 at http://security.gentoo.org/glsa/glsa-201311-13.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:15:15 UTC
CVE-2013-2061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2061):
  The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when
  running in UPD mode, allows remote attackers to obtain sensitive information
  via a timing attack involving an HMAC comparison function that does not run
  in constant time and a padding oracle attack on the CBC mode cipher.