net-vpn/openvpn/files/openvpn-2.4.4-fix-illegal-client-float-CVE-2020-11810.patch - mirrors/cros/chromiumos/overlays/chromiumos-overlay - Git at Google

 From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
 From: Lev Stipakov <lev@openvpn.net>
 Date: Wed, 15 Apr 2020 10:30:17 +0300
 Subject: [PATCH] Fix illegal client float (CVE-2020-11810)

 There is a time frame between allocating peer-id and initializing data
 channel key (which is performed on receiving push request or on async
 push-reply) in which the existing peer-id float checks do not work right.

 If a "rogue" data channel packet arrives during that time frame from
 another address and  with same peer-id, this would cause client to float
 to that new address. This is because:

  - tls_pre_decrypt() sets packet length to zero if
    data channel key has not been initialized, which leads to

  - openvpn_decrypt() returns true if packet length is zero,
    which leads to

  - process_incoming_link_part1() returns true, which
    calls multi_process_float(), which commits float

 Note that problem doesn't happen when data channel key is initialized,
 since in this case openvpn_decrypt() returns false.

 The net effect of this behaviour is that the VPN session for the
 "victim client" is broken.  Since the "attacker client" does not have
 suitable keys, it can not inject or steal VPN traffic from the other
 session.  The time window is small and it can not be used to attack
 a specific client's session, unless some other way is found to make it
 disconnect and reconnect first.

 CVE-2020-11810 has been assigned to acknowledge this risk.

 Fix illegal float by adding buffer length check ("is this packet still
 considered valid") before calling multi_process_float().

 Trac: #1272
 CVE: 2020-11810

 Signed-off-by: Lev Stipakov <lev@openvpn.net>
 Acked-by: Arne Schwabe <arne@rfc2549.org>
 Acked-by: Antonio Quartulli <antonio@openvpn.net>
 Acked-by: Gert Doering <gert@greenie.muc.de>
 Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
 URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
 ---
  src/openvpn/multi.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
 index b42bcec9..056e3dc7 100644
 --- a/src/openvpn/multi.c
 +++ b/src/openvpn/multi.c
 @@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
              orig_buf = c->c2.buf.data;
              if (process_incoming_link_part1(c, lsi, floated))
              {
 -                if (floated)
 +                /* nonzero length means that we have a valid, decrypted packed */
 +                if (floated && c->c2.buf.len > 0)
                  {
                      multi_process_float(m, m->pending);
                  }
 --
 2.27.0.rc2.251.g90737beb825-goog
	From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
	From: Lev Stipakov <lev@openvpn.net>
	Date: Wed, 15 Apr 2020 10:30:17 +0300
	Subject: [PATCH] Fix illegal client float (CVE-2020-11810)

	There is a time frame between allocating peer-id and initializing data
	channel key (which is performed on receiving push request or on async
	push-reply) in which the existing peer-id float checks do not work right.

	If a "rogue" data channel packet arrives during that time frame from
	another address and with same peer-id, this would cause client to float
	to that new address. This is because:

	- tls_pre_decrypt() sets packet length to zero if
	data channel key has not been initialized, which leads to

	- openvpn_decrypt() returns true if packet length is zero,
	which leads to

	- process_incoming_link_part1() returns true, which
	calls multi_process_float(), which commits float

	Note that problem doesn't happen when data channel key is initialized,
	since in this case openvpn_decrypt() returns false.

	The net effect of this behaviour is that the VPN session for the
	"victim client" is broken. Since the "attacker client" does not have
	suitable keys, it can not inject or steal VPN traffic from the other
	session. The time window is small and it can not be used to attack
	a specific client's session, unless some other way is found to make it
	disconnect and reconnect first.

	CVE-2020-11810 has been assigned to acknowledge this risk.

	Fix illegal float by adding buffer length check ("is this packet still
	considered valid") before calling multi_process_float().

	Trac: #1272
	CVE: 2020-11810

	Signed-off-by: Lev Stipakov <lev@openvpn.net>
	Acked-by: Arne Schwabe <arne@rfc2549.org>
	Acked-by: Antonio Quartulli <antonio@openvpn.net>
	Acked-by: Gert Doering <gert@greenie.muc.de>
	Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
	URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
	Signed-off-by: Gert Doering <gert@greenie.muc.de>
	---
	src/openvpn/multi.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
	index b42bcec9..056e3dc7 100644
	--- a/src/openvpn/multi.c
	+++ b/src/openvpn/multi.c
	@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context m, struct multi_instance inst
	orig_buf = c->c2.buf.data;
	if (process_incoming_link_part1(c, lsi, floated))
	{
	- if (floated)
	+ /* nonzero length means that we have a valid, decrypted packed */
	+ if (floated && c->c2.buf.len > 0)
	{
	multi_process_float(m, m->pending);
	}
	--
	2.27.0.rc2.251.g90737beb825-goog