Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618204 (CVE-2017-7478, CVE-2017-7479) - <net-vpn/openvpn-2.4.2: multiple vulnerabilities including unauthenticated DoS
Summary: <net-vpn/openvpn-2.4.2: multiple vulnerabilities including unauthenticated DoS
Status: RESOLVED FIXED
Alias: CVE-2017-7478, CVE-2017-7479
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://ostif.org/the-openvpn-2-4-0-a...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-11 15:49 UTC by Louis Sautier (sbraz)
Modified: 2017-07-09 21:29 UTC (History)
3 users (show)

See Also:
Package list:
=net-vpn/openvpn-2.4.2-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Louis Sautier (sbraz) gentoo-dev 2017-05-11 15:49:44 UTC
From what I understand, versions 2.4.0 and 2.4.1 suffer from multiple vulnerabilities.
Here are the most serious issues which were fixed in version 2.4.2:
"
- Correction of a pre-authentication Denial of Service attack. An attacker can crash any OpenVPN client or server without any credentials or keys.
- Correction of an authenticated user Denial of Service attack. An attacker can crash an OpenVPN client or server using an AEAD mode cipher by sending crafted data to exhaust the packet counter. Requires authentication.
- Correction of issues in mbedtls (PolarSSL) X509 certificate handling. Verify return values of mbedtls_x509_dn_gets and mbedtls_x509_serial_gets correctly.
- Correction of usernames and passwords not being properly erased. for the new bootloader. (keystrokes not erased after authentication)
- Correction of null pointer dereferences. Because this issue is low-severity and not exploitable, this fix is reserved for a future release.
- Correction of service handling for OpenVPN GUI. The OpenVPN GUI did not properly terminate the service when closed.
- Improvements to documentation of the OpenVPN protocol. Improving transparency of functionality for developers working with the OpenVPN protocol.
- Updates to user documentation for other vulnerabilities that can be closed by user practices. Such as selecting more secure options, and deprecating antiquated options that are unsafe.
"

See the audit results and the OpenVPN download page for more info:
https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/
https://openvpn.net/index.php/open-source/downloads.html
There should be more info there but I can't access the site at the moment:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
Comment 1 Manuel Rüger gentoo-dev 2017-05-11 15:55:40 UTC
Removed all vulnerable versions except current stable.
Added fixed versions 2.3.15 and 2.4.2
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-12 04:57:34 UTC
Maintainer(s), Thank you for your work.

Closing - noglsa
Comment 3 Hanno Böck gentoo-dev 2017-05-12 10:43:13 UTC
I think there's been a mistake here. This bug was closed, although the current stable version (2.3.12) is still vulnerable to most of these issues. It seems stabilization was forgotten.
Comment 4 Manuel Rüger gentoo-dev 2017-05-15 12:59:17 UTC
Correct, 

arches please stabilize 2.4.2

Keywords for net-vpn/openvpn:
         |                                 |   u   |  
         | a a         p s   a     n r     |   n   |  
         | l m   h i   p p   r m m i i s   | e u s | r
         | p d a p a p c a x m i 6 o s 3   | a s l | e
         | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
         | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
---------+---------------------------------+-------+-------
  2.3.12 | + + + + + + + + + o ~ o o o ~ ~ | 5 o 0 | gentoo
  2.3.15 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o o o ~ ~ | 6 #   | gentoo
[I]2.4.2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o o o ~ ~ | 6 o   | gentoo
    9999 | o o o o o o o o o o o o o o o o | 6 o   | gentoo
Comment 5 Tobias Klausmann gentoo-dev 2017-05-15 18:47:00 UTC
Stable on alpha.
Comment 6 Jeroen Roovers gentoo-dev 2017-05-16 05:00:02 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-16 07:45:16 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-16 08:02:20 UTC
x86 stable
Comment 9 Yegor Timoshenko 2017-05-16 10:35:54 UTC
Stable on macOS x64 (see https://github.com/gentoo/gentoo/pull/4636).
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-16 13:08:20 UTC
ppc64 stable
Comment 11 Michael Weber (RETIRED) gentoo-dev 2017-05-17 15:47:50 UTC
ppc stable.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-18 05:27:52 UTC
Hanno, thank you for catching that. My fault.
Comment 13 Agostino Sarubbo gentoo-dev 2017-05-22 11:41:30 UTC
sparc stable
Comment 14 lou 2017-05-25 13:59:28 UTC
openvpn-2.4.2 does not start for me. 

[ebuild   R    ] net-vpn/openvpn-2.4.2::gentoo  USE="examples lzo pam plugins ssl -down-root -inotify -iproute2 (-libressl) -lz4 -mbedtls -pkcs11 (-polarssl) (-selinux) -static -systemd {-test}" 0 KiB

When trying to start...

/etc/init.d/openvpn start
 * Caching service dependencies ...                                                                                                   [ ok ]
 * Starting openvpn ...
 * start-stop-daemon: failed to start `/usr/sbin/openvpn'
 * Check your logs to see why startup failed                                                                                          [ !! ]
 * ERROR: openvpn failed to start

Nothing in my logs. Rolling back to openvpn-2.3.15, I can again start the service.
Comment 15 Thomas Deutschmann gentoo-dev Security 2017-05-26 08:59:33 UTC
(In reply to lou from comment #14)
> openvpn-2.4.2 does not start for me. 

Please file a new bug.
Comment 16 Markus Meier gentoo-dev 2017-05-26 18:31:03 UTC
arm stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-06-10 15:18:24 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-09 21:29:30 UTC
GLSA Vote: No

Tree is clean.