openvpn: fix CVE-2024-28882

CVE-2024-28882: OpenVPN in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session References: https://community.openvpn.net/openvpn/wiki/CVE-2024-28882 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Haixiao Yan <haixiao.yan.cn@windriver.com> 2024-11-06 17:58:48 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-11-09 14:51:28 -0500
commit: 6c870913b8178a207a065deabac1c37c68791d17 (patch)
tree: 8cc55d11530f846f59b706385b867c67097ef671
parent: aed7003e72db4536c264d60daa41f949306aee8a (diff)
download: meta-openembedded-6c870913b8178a207a065deabac1c37c68791d17.tar.gz
2 files changed, 145 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch
new file mode 100644
index 0000000000..0b016c89e2
--- /dev/null
+++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch
@@ -0,0 +1,144 @@
+From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
+Date: Thu, 16 May 2024 13:58:08 +0200
+Subject: [PATCH] Only schedule_exit() once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If an exit has already been scheduled we should not schedule it again.
+Otherwise, the exit signal is never emitted if the peer reschedules the
+exit before the timeout occurs.
+schedule_exit() now only takes the context as argument. The signal is
+hard coded to SIGTERM, and the interval is read directly from the
+context options.
+Furthermore, schedule_exit() now returns a bool signifying whether an
+exit was scheduled; false if exit is already scheduled. The call sites
+are updated accordingly. A notable difference is that management is only
+notified *once* when an exit is scheduled - we no longer notify
+management on redundant exit.
+This patch was assigned a CVE number after already reviewed and ACKed,
+because it was discovered that a misbehaving client can use the (now
+fixed) server behaviour to avoid being disconnected by means of a
+managment interface "client-kill" command - the security issue here is
+"client can circumvent security policy set by management interface".
+This only affects previously authenticated clients, and only management
+client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
+affected.
+CVE: 2024-28882
+Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
+Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
+Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
+Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+CVE: CVE-2024-28882
+Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ src/openvpn/forward.c | 15 +++++++++++----
+ src/openvpn/forward.h |  2 +-
+ src/openvpn/push.c    | 12 +++++++-----
+ 3 files changed, 19 insertions(+), 10 deletions(-)
+diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
+index e9811b9c81de..29e812ffd17d 100644
+--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c)
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
+ {
+    const int n_seconds = c->options.scheduled_exit_interval;
+    /* don't reschedule if already scheduled. */
+    if (event_timeout_defined(&c->c2.scheduled_exit))
+    {
+        return false;
+    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
+    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+    return true;
+ }
+ 
+ /*
+diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
+index 060fc374ca60..245a80292112 100644
+--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c);
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index 1b406b9c5311..d220eeb97442 100644
+--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+        if (!schedule_exit(c))
+        {
+            /* Return early when we don't need to notify management */
+            return;
+        }
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)))
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
+    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason)
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+-
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+     {
+@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi,
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb
index f8de78ff74..9b551d3ca2 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb
@@ -10,6 +10,7 @@ inherit autotools systemd update-rc.d pkgconfig
 SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
           file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
           file://openvpn \
+           file://CVE-2024-28882.patch \
          "
 UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
author	Haixiao Yan <haixiao.yan.cn@windriver.com>	2024-11-06 17:58:48 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-11-09 14:51:28 -0500
commit	6c870913b8178a207a065deabac1c37c68791d17 (patch)
tree	8cc55d11530f846f59b706385b867c67097ef671
parent	aed7003e72db4536c264d60daa41f949306aee8a (diff)
download	meta-openembedded-6c870913b8178a207a065deabac1c37c68791d17.tar.gz

diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch new file mode 100644 index 0000000000..0b016c89e2 --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch
@@ -0,0 +1,144 @@
		1	From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
		3	Date: Thu, 16 May 2024 13:58:08 +0200
		4	Subject: [PATCH] Only schedule_exit() once
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	If an exit has already been scheduled we should not schedule it again.
		10	Otherwise, the exit signal is never emitted if the peer reschedules the
		11	exit before the timeout occurs.
		12
		13	schedule_exit() now only takes the context as argument. The signal is
		14	hard coded to SIGTERM, and the interval is read directly from the
		15	context options.
		16
		17	Furthermore, schedule_exit() now returns a bool signifying whether an
		18	exit was scheduled; false if exit is already scheduled. The call sites
		19	are updated accordingly. A notable difference is that management is only
		20	notified once when an exit is scheduled - we no longer notify
		21	management on redundant exit.
		22
		23	This patch was assigned a CVE number after already reviewed and ACKed,
		24	because it was discovered that a misbehaving client can use the (now
		25	fixed) server behaviour to avoid being disconnected by means of a
		26	managment interface "client-kill" command - the security issue here is
		27	"client can circumvent security policy set by management interface".
		28
		29	This only affects previously authenticated clients, and only management
		30	client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
		31	affected.
		32
		33	CVE: 2024-28882
		34
		35	Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
		36	Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
		37	Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
		38	Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
		39	URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
		40	Signed-off-by: Gert Doering <gert@greenie.muc.de>
		41
		42	CVE: CVE-2024-28882
		43	Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411]
		44
		45	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
		46	---
		47	src/openvpn/forward.c \| 15 +++++++++++----
		48	src/openvpn/forward.h \| 2 +-
		49	src/openvpn/push.c \| 12 +++++++-----
		50	3 files changed, 19 insertions(+), 10 deletions(-)
		51
		52	diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
		53	index e9811b9c81de..29e812ffd17d 100644
		54	--- a/src/openvpn/forward.c
		55	+++ b/src/openvpn/forward.c
		56	@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c)
		57	}
		58
		59	/*
		60	- * Schedule a signal n_seconds from now.
		61	+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
		62	*/
		63	-void
		64	-schedule_exit(struct context *c, const int n_seconds, const int signal)
		65	+bool
		66	+schedule_exit(struct context *c)
		67	{
		68	+ const int n_seconds = c->options.scheduled_exit_interval;
		69	+ /* don't reschedule if already scheduled. */
		70	+ if (event_timeout_defined(&c->c2.scheduled_exit))
		71	+ {
		72	+ return false;
		73	+ }
		74	tls_set_single_session(c->c2.tls_multi);
		75	update_time();
		76	reset_coarse_timers(c);
		77	event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
		78	- c->c2.scheduled_exit_signal = signal;
		79	+ c->c2.scheduled_exit_signal = SIGTERM;
		80	msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
		81	+ return true;
		82	}
		83
		84	/*
		85	diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
		86	index 060fc374ca60..245a80292112 100644
		87	--- a/src/openvpn/forward.h
		88	+++ b/src/openvpn/forward.h
		89	@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c);
		90
		91	void process_ip_header(struct context c, unsigned int flags, struct buffer buf);
		92
		93	-void schedule_exit(struct context *c, const int n_seconds, const int signal);
		94	+bool schedule_exit(struct context *c);
		95
		96	static inline struct link_socket_info *
		97	get_link_socket_info(struct context *c)
		98	diff --git a/src/openvpn/push.c b/src/openvpn/push.c
		99	index 1b406b9c5311..d220eeb97442 100644
		100	--- a/src/openvpn/push.c
		101	+++ b/src/openvpn/push.c
		102	@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
		103	* */
		104	if (c->options.mode == MODE_SERVER)
		105	{
		106	- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
		107	+ if (!schedule_exit(c))
		108	+ {
		109	+ /* Return early when we don't need to notify management */
		110	+ return;
		111	+ }
		112	}
		113	else
		114	{
		115	@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)))
		116	void
		117	send_auth_failed(struct context c, const char client_reason)
		118	{
		119	- if (event_timeout_defined(&c->c2.scheduled_exit))
		120	+ if (!schedule_exit(c))
		121	{
		122	msg(D_TLS_DEBUG, "exit already scheduled for context");
		123	return;
		124	@@ -401,8 +405,6 @@ send_auth_failed(struct context c, const char client_reason)
		125	static const char auth_failed[] = "AUTH_FAILED";
		126	size_t len;
		127
		128	- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
		129	-
		130	len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
		131	if (len > PUSH_BUNDLE_SIZE)
		132	{
		133	@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi,
		134	void
		135	send_restart(struct context c, const char kill_msg)
		136	{
		137	- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
		138	+ schedule_exit(c);
		139	send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
		140	}
		141
		142	--
		143	2.34.1
		144


diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb index f8de78ff74..9b551d3ca2 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb
@@ -10,6 +10,7 @@ inherit autotools systemd update-rc.d pkgconfig
10	SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \	10	SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
11	file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \	11	file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
12	file://openvpn \	12	file://openvpn \
		13	file://CVE-2024-28882.patch \
13	"	14	"
14		15
15	UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"	16	UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"