Bug#895135: marked as done (openvpn client DNS security hole in update-resolv-conf)

Wed, 01 Aug 2018 01:42:43 -0700 

Your message dated Wed, 01 Aug 2018 08:39:12 +0000
with message-id <[email protected]>
and subject line Bug#895135: fixed in openvpn 2.4.6-1
has caused the Debian Bug report #895135,
regarding openvpn client DNS security hole in update-resolv-conf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
895135: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895135
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openvpn
Version: 2.4.0-6+deb9u2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
   * What led up to the situation?
openvpn client received DNS from server but silently used local, possibly
compromised DNS server.

In the stretch openvpn server (2.4.0-6+deb9u2) the configuration file
server.conf contains the declarations:

 push "dhcp-option DNS 212.27.40.241"
 push "dhcp-option DNS 212.27.40.240"

In the stretch 32 bit client the configuration file clent.conf contains the
declarations:

 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

When the client connects, the client log reports:

 Wed Apr  4 13:32:01 2018 us=398019
     PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
     dhcp-option DNS 212.27.40.241,dhcp-option DNS 212.27.40.240,
     route 10.8.0.1,topology net30,ping 10,ping-restart 120,
     ifconfig 10.8.0.6 10.8.0.5,peer-id 0'
 ...
 Wed Apr  4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500
     1561 10.8.0.6 10.8.0.5 init

Note the absence of any DNS error message.  I tested for correct DNS setup:

 rprice@kananga ~ dig debian.org | grep SERVER
 ;; SERVER: 10.218.0.1#53(10.218.0.1)

Clearly not the required DNS server. The file /etc/resolv.conf still contains:

 # Generated by NetworkManager
 nameserver 10.218.0.1

Looking more closely at script /etc/openvpn/update-resolv-conf, it begins with
the line

 [ -x /sbin/resolvconf ] || exit 0

File /sbin/resolvconf is not present, because package resolvconf is not yet
installed (sysadmins are overworked and forget things).  It is only suggested
and not required for openvpn, so the script fails silently!  This looks to me
like a serious security problem.  Joe Road-Warrior is out there, connected to
the "free" Wifi.  He follows corporate instructions to turn on his openvpn
client, but because of the exit 0 he is still using the local thoroughly
compromised DNS server.

The exit 0 needs to be replaced by

 1. A message in the log "Looks like you have forgotten package resolvconf"
 2. An exit 1 to assure that the openvpn client cannot start.
 3. Nice to have: A notification to Joe that his openvpn setup is broken.

Thanks, Best Regards, Roger

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-4-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u1
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u2
ii  libsystemd0            232-25+deb9u1
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u1
ii  resolvconf  1.79

-- debconf information excluded



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u1
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u1
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u2
pn  resolvconf  <none>

-- Configuration Files:
/etc/default/openvpn changed [not included]

-- debconf-show failed

--- End Message ---
--- Begin Message --- 
Source: openvpn
Source-Version: 2.4.6-1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <[email protected]> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Jul 2018 14:08:13 +0200
Source: openvpn
Binary: openvpn
Architecture: source
Version: 2.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Jörg Frings-Fürst <[email protected]>
Description:
 openvpn    - virtual private network daemon
Closes: 807808 867113 883601 895135
Changes:
 openvpn (2.4.6-1) unstable; urgency=medium
 .
   [ Jörg Frings-Fürst ]
   * New upstream release.
     - Refresh patches.
     - Fix "does not start if link-mtu is too low" (Closes: #867113).
     - Fix "auth-tokens are purged if auth-nocache is set" (Closes: #883601).
   * Migrate to debhelper 11:
     - Change debian/compat to 11.
     - Bump minimum debhelper version in debian/control to >= 11.
   * Declare compliance with Debian Policy 4.1.5 (No changes needed).
   * New debian/patches/spelling_errors.patch to correct spelling errors.
   * New debian/patches/systemd.patch to remove obsolete syslog.target.
   * debian/changelog:
     - Rewrite to DEP5 copyright format.
   * debian/control:
     - Change to my new email address.
     - Remove trailing whitespaces.
   * debian/rules:
     - Remove trailing whitespaces.
     - Replace outdated dh_installsystemd with dh_systemd_start.
     - Remove usr/share/doc/openvpn/COPYING.
     - Replace rm -f with $(RM).
   * debian/update-resolv-conf:
     - Fix "preserve order of pushed parameters" (Closes: #807808).
       Thanks to Thibaut Chèze.
     - Add syslog message if used without binary resolvconf (Closes: #895135).
       Thanks to Roger Price <[email protected]>.
   * debian/watch:
     - Use secure URI.
   * Remove obsolete debian/openvpn.lintian-overrides.
   * New README.source to explain the branching model used.
Checksums-Sha1:
 b51450992fca34c3aab16f057b96b2a5eb66b739 2072 openvpn_2.4.6-1.dsc
 4742492867df31aadc0aeea5c8b4422d1a624e69 943376 openvpn_2.4.6.orig.tar.xz
 bebdf9a8447cc2f43366e32fbac9ec70f59f300f 56328 openvpn_2.4.6-1.debian.tar.xz
 c858f528b8240b8c2b43bfa7ce5e7de82a613e93 7077 openvpn_2.4.6-1_amd64.buildinfo
Checksums-Sha256:
 4743da07a95debf065e46b79a91094c947d6c674367bec24872428397fa90c12 2072 
openvpn_2.4.6-1.dsc
 4f6434fa541cc9e363434ea71a16a62cf2615fb2f16af5b38f43ab5939998c26 943376 
openvpn_2.4.6.orig.tar.xz
 17367944e016f1d944e3fb1a12912c7b4dedf06b285c794341c328eee716924f 56328 
openvpn_2.4.6-1.debian.tar.xz
 9aa86057d8f95c0bc53073ab5df3a97d5302e149928b1e7fbe0a649ca41c443d 7077 
openvpn_2.4.6-1_amd64.buildinfo
Files:
 6849db823e7a6653ac8793d1bd097cfc 2072 net optional openvpn_2.4.6-1.dsc
 3a1f3f63bdaede443b4df49957df9405 943376 net optional openvpn_2.4.6.orig.tar.xz
 25355ce3187b892cb1fd6b518eef59e8 56328 net optional 
openvpn_2.4.6-1.debian.tar.xz
 9d4c7975499094c985b4d634673f07a2 7077 net optional 
openvpn_2.4.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlthbNIRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNEtg//X5bj3wddDaDiy3BkuyvEVA1cBAGqWGkK
9PJ73GcNzcMNee8+YN/GLhZlZj9PfzXqeiRbC2m8Ivx9lG1OVmwe192wN6c/wkup
XCAMmUJO2jFbzc0Xx+gqhipn9Tj9o3EnBDfEDOli/cK8ErmYGFH92JOby9N9ZDWC
3louXa8tF7GMN269ba4jhio9IjvUpCwfqsybJQA/9ou2g2gO2LcNSeGqIbVGGSG7
E/ZDO1UGehyoyb2slrm6Ofv/ikg3Ucc9d0aOSomOwmNPrdpVFIFMQ0aXrwKioRkK
rzU4qeqpaS0FsV0k4Jbk3KqJ3NmAd7/AhgM6BgIrUoUt4ujyBJ1QTbY/K04gvxL7
aL+fr59yQZpfzZi1klO3op4xuAQ6Jtk6f8JWUEdWSmByfKu/GWK4mmP7LByyiExs
WP/fvY8xf3QtKtxiquWkaGktZ4dprMi22cypPA8Hd4w9z31OHnuXUxUxeRxNMOn+
eCFk72s1otDxNaT3bfF30k8tLhX63H/91K8qyv+viloTsg2qfD6hFTLzl4jSgJHU
svmS82lA+Aj5amMsqPtpmtzLR+idVo8YAWYnaztJY6uvNu+pjs2LREqLB/bd84OK
Yd9Cox3EEIB7ysi48QM2RA9fiJv681ocfWZAKz5pRKCN1cF80G1/qIVvbAkc2fCR
3RpPkcjOCUU=
=G3ZU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to