mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

openvpn: fix CVE-2024-28882

Browse Source 
CVE-2024-28882: OpenVPN in a server role accepts multiple exit
notifications from authenticated clients which will extend the
validity of a closing session

References:
https://community.openvpn.net/openvpn/wiki/CVE-2024-28882

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Haixiao Yan
2024-11-06 17:58:48 +08:00
committed by Armin Kuster
parent aed7003e72
commit 6c870913b8
2 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch
+144
View File
@@ -0,0 +1,144 @@
From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
Date: Thu, 16 May 2024 13:58:08 +0200
Subject: [PATCH] Only schedule_exit() once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.
schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.
Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.
This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".
This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.
CVE: 2024-28882
Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
CVE: CVE-2024-28882
Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411]
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
src/openvpn/forward.c | 15 +++++++++++----
src/openvpn/forward.h | 2 +-
src/openvpn/push.c | 12 +++++++-----
3 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index e9811b9c81de..29e812ffd17d 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c)
}
/*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
*/
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
{
+ const int n_seconds = c->options.scheduled_exit_interval;
+ /* don't reschedule if already scheduled. */
+ if (event_timeout_defined(&c->c2.scheduled_exit))
+ {
+ return false;
+ }
tls_set_single_session(c->c2.tls_multi);
update_time();
reset_coarse_timers(c);
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
- c->c2.scheduled_exit_signal = signal;
+ c->c2.scheduled_exit_signal = SIGTERM;
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+ return true;
}
/*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 060fc374ca60..245a80292112 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c);
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
static inline struct link_socket_info *
get_link_socket_info(struct context *c)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 1b406b9c5311..d220eeb97442 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
* */
if (c->options.mode == MODE_SERVER)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ if (!schedule_exit(c))
+ {
+ /* Return early when we don't need to notify management */
+ return;
+ }
}
else
{
@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)))
void
send_auth_failed(struct context *c, const char *client_reason)
{
- if (event_timeout_defined(&c->c2.scheduled_exit))
+ if (!schedule_exit(c))
{
msg(D_TLS_DEBUG, "exit already scheduled for context");
return;
@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason)
static const char auth_failed[] = "AUTH_FAILED";
size_t len;
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
if (len > PUSH_BUNDLE_SIZE)
{
@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi,
void
send_restart(struct context *c, const char *kill_msg)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ schedule_exit(c);
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
}
--
2.34.1
meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb
+1
View File
@@ -10,6 +10,7 @@ inherit autotools systemd update-rc.d pkgconfig
SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
file://openvpn \
file://CVE-2024-28882.patch \
"
UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"