From 674298698bad72b038f9653faf3e3c5a23790dfb Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 9 Feb 2021 17:21:39 +0800 Subject: [PATCH] fix CVE-2020-11810 --- CVE-2020-11810.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++ openvpn.spec | 10 +++++-- 2 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 CVE-2020-11810.patch diff --git a/CVE-2020-11810.patch b/CVE-2020-11810.patch new file mode 100644 index 0000000..466cf0c --- /dev/null +++ b/CVE-2020-11810.patch @@ -0,0 +1,65 @@ +From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 +From: Lev Stipakov +Date: Wed, 15 Apr 2020 10:30:17 +0300 +Subject: [PATCH] Fix illegal client float (CVE-2020-11810) + +There is a time frame between allocating peer-id and initializing data +channel key (which is performed on receiving push request or on async +push-reply) in which the existing peer-id float checks do not work right. + +If a "rogue" data channel packet arrives during that time frame from +another address and with same peer-id, this would cause client to float +to that new address. This is because: + + - tls_pre_decrypt() sets packet length to zero if + data channel key has not been initialized, which leads to + + - openvpn_decrypt() returns true if packet length is zero, + which leads to + + - process_incoming_link_part1() returns true, which + calls multi_process_float(), which commits float + +Note that problem doesn't happen when data channel key is initialized, +since in this case openvpn_decrypt() returns false. + +The net effect of this behaviour is that the VPN session for the +"victim client" is broken. Since the "attacker client" does not have +suitable keys, it can not inject or steal VPN traffic from the other +session. The time window is small and it can not be used to attack +a specific client's session, unless some other way is found to make it +disconnect and reconnect first. + +CVE-2020-11810 has been assigned to acknowledge this risk. + +Fix illegal float by adding buffer length check ("is this packet still +considered valid") before calling multi_process_float(). + +Trac: #1272 +CVE: 2020-11810 + +Signed-off-by: Lev Stipakov +Acked-by: Arne Schwabe +Acked-by: Antonio Quartulli +Acked-by: Gert Doering +Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html +Signed-off-by: Gert Doering +--- + src/openvpn/multi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c +index b42bcec97..056e3dc76 100644 +--- a/src/openvpn/multi.c ++++ b/src/openvpn/multi.c +@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst + orig_buf = c->c2.buf.data; + if (process_incoming_link_part1(c, lsi, floated)) + { +- if (floated) ++ /* nonzero length means that we have a valid, decrypted packed */ ++ if (floated && c->c2.buf.len > 0) + { + multi_process_float(m, m->pending); + } diff --git a/openvpn.spec b/openvpn.spec index 313e107..1c886bf 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,10 +1,11 @@ Name: openvpn Version: 2.4.8 -Release: 3 +Release: 4 Summary: A full-featured open source SSL VPN solution -License: GPLv2 +License: GPLv2 and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz +Patch0000: CVE-2020-11810.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 @@ -36,7 +37,7 @@ User guide and other related documents for %{name}. %prep %setup -q -n %{name}-%{version} - +%patch0000 -p1 %build %configure --enable-x509-alt-username --enable-iproute2 --with-crypto-library=openssl --enable-pkcs11 --enable-selinux --enable-systemd SYSTEMD_UNIT_DIR=%{_unitdir} TMPFILES_DIR=%{_tmpfilesdir} IPROUTE=/sbin/ip @@ -123,6 +124,9 @@ fi %{_mandir}/man8/%{name}.8* %changelog +* Thu Feb 04 2021 wangyue 2.4.8-4 +- fix CVE-2020-11810 + * Tue Mar 16 2020 daiqianwen 2.4.8-3 - modify systemd post preun postun -- Gitee