| From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 |
| From: Lev Stipakov <lev@openvpn.net> |
| Date: Wed, 15 Apr 2020 10:30:17 +0300 |
| Subject: [PATCH] Fix illegal client float (CVE-2020-11810) |
| |
| There is a time frame between allocating peer-id and initializing data |
| channel key (which is performed on receiving push request or on async |
| push-reply) in which the existing peer-id float checks do not work right. |
| |
| If a "rogue" data channel packet arrives during that time frame from |
| another address and with same peer-id, this would cause client to float |
| to that new address. This is because: |
| |
| - tls_pre_decrypt() sets packet length to zero if |
| data channel key has not been initialized, which leads to |
| |
| - openvpn_decrypt() returns true if packet length is zero, |
| which leads to |
| |
| - process_incoming_link_part1() returns true, which |
| calls multi_process_float(), which commits float |
| |
| Note that problem doesn't happen when data channel key is initialized, |
| since in this case openvpn_decrypt() returns false. |
| |
| The net effect of this behaviour is that the VPN session for the |
| "victim client" is broken. Since the "attacker client" does not have |
| suitable keys, it can not inject or steal VPN traffic from the other |
| session. The time window is small and it can not be used to attack |
| a specific client's session, unless some other way is found to make it |
| disconnect and reconnect first. |
| |
| CVE-2020-11810 has been assigned to acknowledge this risk. |
| |
| Fix illegal float by adding buffer length check ("is this packet still |
| considered valid") before calling multi_process_float(). |
| |
| Trac: #1272 |
| CVE: 2020-11810 |
| |
| Signed-off-by: Lev Stipakov <lev@openvpn.net> |
| Acked-by: Arne Schwabe <arne@rfc2549.org> |
| Acked-by: Antonio Quartulli <antonio@openvpn.net> |
| Acked-by: Gert Doering <gert@greenie.muc.de> |
| Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> |
| URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html |
| Signed-off-by: Gert Doering <gert@greenie.muc.de> |
| --- |
| src/openvpn/multi.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c |
| index b42bcec9..056e3dc7 100644 |
| --- a/src/openvpn/multi.c |
| +++ b/src/openvpn/multi.c |
| @@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst |
| orig_buf = c->c2.buf.data; |
| if (process_incoming_link_part1(c, lsi, floated)) |
| { |
| - if (floated) |
| + /* nonzero length means that we have a valid, decrypted packed */ |
| + if (floated && c->c2.buf.len > 0) |
| { |
| multi_process_float(m, m->pending); |
| } |
| -- |
| 2.27.0.rc2.251.g90737beb825-goog |
| |