From 6c870913b8178a207a065deabac1c37c68791d17 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Wed, 6 Nov 2024 17:58:48 +0800 Subject: openvpn: fix CVE-2024-28882 CVE-2024-28882: OpenVPN in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session References: https://community.openvpn.net/openvpn/wiki/CVE-2024-28882 Signed-off-by: Haixiao Yan Signed-off-by: Armin Kuster --- .../openvpn/openvpn/CVE-2024-28882.patch | 144 +++++++++++++++++++++ .../recipes-support/openvpn/openvpn_2.6.10.bb | 1 + 2 files changed, 145 insertions(+) create mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch new file mode 100644 index 0000000000..0b016c89e2 --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch @@ -0,0 +1,144 @@ +From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= +Date: Thu, 16 May 2024 13:58:08 +0200 +Subject: [PATCH] Only schedule_exit() once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an exit has already been scheduled we should not schedule it again. +Otherwise, the exit signal is never emitted if the peer reschedules the +exit before the timeout occurs. + +schedule_exit() now only takes the context as argument. The signal is +hard coded to SIGTERM, and the interval is read directly from the +context options. + +Furthermore, schedule_exit() now returns a bool signifying whether an +exit was scheduled; false if exit is already scheduled. The call sites +are updated accordingly. A notable difference is that management is only +notified *once* when an exit is scheduled - we no longer notify +management on redundant exit. + +This patch was assigned a CVE number after already reviewed and ACKed, +because it was discovered that a misbehaving client can use the (now +fixed) server behaviour to avoid being disconnected by means of a +managment interface "client-kill" command - the security issue here is +"client can circumvent security policy set by management interface". + +This only affects previously authenticated clients, and only management +client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not +affected. + +CVE: 2024-28882 + +Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 +Signed-off-by: Reynir Björnsson +Acked-by: Arne Schwabe +Message-Id: <20240516120434.23499-1-gert@greenie.muc.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html +Signed-off-by: Gert Doering + +CVE: CVE-2024-28882 +Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411] + +Signed-off-by: Haixiao Yan +--- + src/openvpn/forward.c | 15 +++++++++++---- + src/openvpn/forward.h | 2 +- + src/openvpn/push.c | 12 +++++++----- + 3 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c +index e9811b9c81de..29e812ffd17d 100644 +--- a/src/openvpn/forward.c ++++ b/src/openvpn/forward.c +@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c) + } + + /* +- * Schedule a signal n_seconds from now. ++ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. + */ +-void +-schedule_exit(struct context *c, const int n_seconds, const int signal) ++bool ++schedule_exit(struct context *c) + { ++ const int n_seconds = c->options.scheduled_exit_interval; ++ /* don't reschedule if already scheduled. */ ++ if (event_timeout_defined(&c->c2.scheduled_exit)) ++ { ++ return false; ++ } + tls_set_single_session(c->c2.tls_multi); + update_time(); + reset_coarse_timers(c); + event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); +- c->c2.scheduled_exit_signal = signal; ++ c->c2.scheduled_exit_signal = SIGTERM; + msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); ++ return true; + } + + /* +diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h +index 060fc374ca60..245a80292112 100644 +--- a/src/openvpn/forward.h ++++ b/src/openvpn/forward.h +@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c); + + void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); + +-void schedule_exit(struct context *c, const int n_seconds, const int signal); ++bool schedule_exit(struct context *c); + + static inline struct link_socket_info * + get_link_socket_info(struct context *c) +diff --git a/src/openvpn/push.c b/src/openvpn/push.c +index 1b406b9c5311..d220eeb97442 100644 +--- a/src/openvpn/push.c ++++ b/src/openvpn/push.c +@@ -204,7 +204,11 @@ receive_exit_message(struct context *c) + * */ + if (c->options.mode == MODE_SERVER) + { +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); ++ if (!schedule_exit(c)) ++ { ++ /* Return early when we don't need to notify management */ ++ return; ++ } + } + else + { +@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5))) + void + send_auth_failed(struct context *c, const char *client_reason) + { +- if (event_timeout_defined(&c->c2.scheduled_exit)) ++ if (!schedule_exit(c)) + { + msg(D_TLS_DEBUG, "exit already scheduled for context"); + return; +@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason) + static const char auth_failed[] = "AUTH_FAILED"; + size_t len; + +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); +- + len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); + if (len > PUSH_BUNDLE_SIZE) + { +@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, + void + send_restart(struct context *c, const char *kill_msg) + { +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); ++ schedule_exit(c); + send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); + } + +-- +2.34.1 + diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb index f8de78ff74..9b551d3ca2 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb @@ -10,6 +10,7 @@ inherit autotools systemd update-rc.d pkgconfig SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ file://openvpn \ + file://CVE-2024-28882.patch \ " UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -- cgit v1.2.3-54-g00ecf