[Openvpn-devel] [PATCH applied] Re: Validate DNS domain name before powershell invocation

Fri, 19 Sep 2025 00:41:43 -0700 

So, we received a report that our use of 'wmic.exe' is insafe and could
be exploited by a malicious server pushing a "suitable" DOMAIN - which
could not be reproduced by us or by the reporter.  So this was rejected
as "invalid report" and we did not assign a CVE number.

This said, at about the same time, we integrated a patch that replaces
use of 'wmic.exe' with a powershell command line (because MS is no longer
installing wmic.exe by default, and intents to activey remove it in 25H2)
- and it turns out that the powershell invocation was insecure against
malicious data sent by the server in a PUSH_REPLY.  This problematic code
is NOT in any released OpenVPN version (2.6.14 and 2.7_beta1 have wmic.exe),
so it doesn't get a CVE ID either (CNA rules).

This patch fixes this (before 2.6.15 release ;-) ) by introducing proper
positive-list validation of domain names used in powershell calls.  We
accept UTF8 encoded domain names (= all characters >= 0x80 are allowed),
because it's needed for some environments, and nothing in there translates
into a (power-)shell metacharacter.


Tested on a Win10 system I had around, with binaries built on Ubuntu 22.04
with MinGW.  Running OpenVPN from an elevated cmd prompt does

  "Failed to set DNS domain 'mooh.com'evil' beause it contains invalid
   characters"

Running via the iservice, I get an error in OpenVPN log

  "TUN: adding dns domain failed using service: Die Daten sind
   unzulässig..." (yeah, translations)

and one in Event Log

  "openvpnserv error:
   Failed to set DNS domain 'mooh.com'evil' because it contains invalid
   characters"

which is also how it should be.  With a valid domain, it still works :-)


Your patch has been applied to the release/2.6 branch.

(In master, the domain related code is sufficiently different to require
a separate patch)

commit 6c3afe508b15764eea4e5bdcbaed37c02c281d9a (release/2.6)
Author: Lev Stipakov
Date:   Thu Sep 18 19:34:40 2025 +0200

     Validate DNS domain name before powershell invocation

     Signed-off-by: Lev Stipakov <[email protected]>
     Acked-by: Gert Doering <[email protected]>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1198
     Message-Id: <[email protected]>
     URL: 
https://www.mail-archive.com/[email protected]/msg33071.html
     Signed-off-by: Gert Doering <[email protected]>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to