diff options
Diffstat (limited to 'meta-networking')
4 files changed, 272 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch new file mode 100644 index 0000000000..b42b3040ef --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 2c1de0f0803360c0a6408f754066bd3a6fb28237 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
| 3 | Date: Tue, 19 Mar 2024 17:16:07 +0200 | ||
| 4 | Subject: [PATCH] interactive.c: disable remote access to the service pipe | ||
| 5 | |||
| 6 | Remote access to the service pipe is not needed and might | ||
| 7 | be a potential attack vector. | ||
| 8 | |||
| 9 | For example, if an attacker manages to get credentials for | ||
| 10 | a user which is the member of "OpenVPN Administrators" group | ||
| 11 | on a victim machine, an attacker might be able to communicate | ||
| 12 | with the privileged interactive service on a victim machine | ||
| 13 | and start openvpn processes remotely. | ||
| 14 | |||
| 15 | CVE: 2024-24974 | ||
| 16 | |||
| 17 | Microsoft case number: 85925 | ||
| 18 | |||
| 19 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
| 20 | Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 | ||
| 21 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
| 22 | Acked-by: Heiko Hund <heiko@openvpn.net> | ||
| 23 | Message-Id: <20240319151723.936-2-lev@openvpn.net> | ||
| 24 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html | ||
| 25 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
| 26 | |||
| 27 | CVE:CVE-2024-24974 | ||
| 28 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/2c1de0f0803360c0a6408f754066bd3a6fb28237] | ||
| 29 | |||
| 30 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 31 | --- | ||
| 32 | src/openvpnserv/interactive.c | 2 +- | ||
| 33 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 34 | |||
| 35 | diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c | ||
| 36 | index 3b120ae..5e3ff12 100644 | ||
| 37 | --- a/src/openvpnserv/interactive.c | ||
| 38 | +++ b/src/openvpnserv/interactive.c | ||
| 39 | @@ -1994,7 +1994,7 @@ CreateClientPipeInstance(VOID) | ||
| 40 | |||
| 41 | openvpn_sntprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%s\\service"), service_instance); | ||
| 42 | pipe = CreateNamedPipe(pipe_name, flags, | ||
| 43 | - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, | ||
| 44 | + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, | ||
| 45 | PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); | ||
| 46 | if (pipe == INVALID_HANDLE_VALUE) | ||
| 47 | { | ||
| 48 | -- | ||
| 49 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch new file mode 100644 index 0000000000..d04eeb571d --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch | |||
| @@ -0,0 +1,99 @@ | |||
| 1 | From 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
| 3 | Date: Tue, 19 Mar 2024 17:27:11 +0200 | ||
| 4 | Subject: [PATCH] interactive.c: Fix potential stack overflow issue | ||
| 5 | When reading message from the pipe, we first peek the pipe to get the size | ||
| 6 | of the message waiting to be read and then read the message. A compromised | ||
| 7 | OpenVPN process could send an excessively large message, which would result | ||
| 8 | in a stack-allocated message buffer overflow. | ||
| 9 | |||
| 10 | To address this, we terminate the misbehaving process if the peeked message | ||
| 11 | size exceeds the maximum allowable size. | ||
| 12 | |||
| 13 | CVE: 2024-27459 | ||
| 14 | Microsoft case number: 85932 | ||
| 15 | |||
| 16 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
| 17 | Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada | ||
| 18 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
| 19 | Acked-by: Heiko Hund <heiko@openvpn.net> | ||
| 20 | Message-Id: <20240319152803.1801-2-lev@openvpn.net> | ||
| 21 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html | ||
| 22 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
| 23 | |||
| 24 | CVE:CVE-2024-27459 | ||
| 25 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/989b22cb6e007fd1addcfaf7d12f4fec9fbc9639] | ||
| 26 | |||
| 27 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 28 | --- | ||
| 29 | src/openvpnserv/interactive.c | 34 +++++++++++++++++++++------------- | ||
| 30 | 1 file changed, 21 insertions(+), 13 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c | ||
| 33 | index 5e3ff12..f613b99 100644 | ||
| 34 | --- a/src/openvpnserv/interactive.c | ||
| 35 | +++ b/src/openvpnserv/interactive.c | ||
| 36 | @@ -111,6 +111,18 @@ typedef struct { | ||
| 37 | HANDLE device; | ||
| 38 | } ring_buffer_handles_t; | ||
| 39 | |||
| 40 | +typedef union { | ||
| 41 | + message_header_t header; | ||
| 42 | + address_message_t address; | ||
| 43 | + route_message_t route; | ||
| 44 | + flush_neighbors_message_t flush_neighbors; | ||
| 45 | + block_dns_message_t block_dns; | ||
| 46 | + dns_cfg_message_t dns; | ||
| 47 | + enable_dhcp_message_t dhcp; | ||
| 48 | + register_ring_buffers_message_t rrb; | ||
| 49 | + set_mtu_message_t mtu; | ||
| 50 | + wins_cfg_message_t wins; | ||
| 51 | +} pipe_message_t; | ||
| 52 | |||
| 53 | static DWORD | ||
| 54 | AddListItem(list_item_t **pfirst, LPVOID data) | ||
| 55 | @@ -1444,18 +1456,7 @@ static VOID | ||
| 56 | HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles, | ||
| 57 | DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) | ||
| 58 | { | ||
| 59 | - DWORD read; | ||
| 60 | - union { | ||
| 61 | - message_header_t header; | ||
| 62 | - address_message_t address; | ||
| 63 | - route_message_t route; | ||
| 64 | - flush_neighbors_message_t flush_neighbors; | ||
| 65 | - block_dns_message_t block_dns; | ||
| 66 | - dns_cfg_message_t dns; | ||
| 67 | - enable_dhcp_message_t dhcp; | ||
| 68 | - register_ring_buffers_message_t rrb; | ||
| 69 | - set_mtu_message_t mtu; | ||
| 70 | - } msg; | ||
| 71 | + pipe_message_t msg; | ||
| 72 | ack_message_t ack = { | ||
| 73 | .header = { | ||
| 74 | .type = msg_acknowledgement, | ||
| 75 | @@ -1465,7 +1466,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_ | ||
| 76 | .error_number = ERROR_MESSAGE_DATA | ||
| 77 | }; | ||
| 78 | |||
| 79 | - read = ReadPipeAsync(pipe, &msg, bytes, count, events); | ||
| 80 | + DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); | ||
| 81 | if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) | ||
| 82 | { | ||
| 83 | goto out; | ||
| 84 | @@ -1884,6 +1885,13 @@ RunOpenvpn(LPVOID p) | ||
| 85 | break; | ||
| 86 | } | ||
| 87 | |||
| 88 | + if (bytes > sizeof(pipe_message_t)) | ||
| 89 | + { | ||
| 90 | + /* process at the other side of the pipe is misbehaving, shut it down */ | ||
| 91 | + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); | ||
| 92 | + break; | ||
| 93 | + } | ||
| 94 | + | ||
| 95 | HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists); | ||
| 96 | } | ||
| 97 | |||
| 98 | -- | ||
| 99 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch new file mode 100644 index 0000000000..d0726ab35c --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch | |||
| @@ -0,0 +1,119 @@ | |||
| 1 | From aaea545d8a940f761898d736b68bcb067d503b1d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
| 3 | Date: Tue, 19 Mar 2024 15:53:45 +0200 | ||
| 4 | Subject: [PATCH] win32: Enforce loading of plugins from a trusted directory | ||
| 5 | |||
| 6 | Currently, there's a risk associated with allowing plugins to be loaded from | ||
| 7 | any location. This update ensures plugins are only loaded from a trusted | ||
| 8 | directory, which is either: | ||
| 9 | |||
| 10 | - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing, | ||
| 11 | then HKLM\SOFTWARE\OpenVPN, which is installation directory) | ||
| 12 | |||
| 13 | - System directory | ||
| 14 | |||
| 15 | Loading from UNC paths is disallowed. | ||
| 16 | |||
| 17 | Note: This change affects only Windows environments. | ||
| 18 | |||
| 19 | CVE: 2024-27903 | ||
| 20 | |||
| 21 | Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d | ||
| 22 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
| 23 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
| 24 | Acked-by: Selva Nair <selva.nair@gmail.com> | ||
| 25 | Message-Id: <20240319135355.1279-2-lev@openvpn.net> | ||
| 26 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html | ||
| 27 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
| 28 | |||
| 29 | CVE:CVE-2024-27903 | ||
| 30 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/aaea545d8a940f761898d736b68bcb067d503b1d] | ||
| 31 | |||
| 32 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 33 | --- | ||
| 34 | src/openvpn/plugin.c | 18 +++++++++++++++--- | ||
| 35 | src/openvpn/win32.c | 21 +++++++++------------ | ||
| 36 | 2 files changed, 24 insertions(+), 15 deletions(-) | ||
| 37 | |||
| 38 | diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c | ||
| 39 | index ed5d7c0..f7315f4 100644 | ||
| 40 | --- a/src/openvpn/plugin.c | ||
| 41 | +++ b/src/openvpn/plugin.c | ||
| 42 | @@ -279,11 +279,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) | ||
| 43 | |||
| 44 | #else /* ifndef _WIN32 */ | ||
| 45 | |||
| 46 | - rel = !platform_absolute_pathname(p->so_pathname); | ||
| 47 | - p->module = LoadLibraryW(wide_string(p->so_pathname, &gc)); | ||
| 48 | + WCHAR *wpath = wide_string(p->so_pathname, &gc); | ||
| 49 | + WCHAR normalized_plugin_path[MAX_PATH] = {0}; | ||
| 50 | + /* Normalize the plugin path, converting any relative paths to absolute paths. */ | ||
| 51 | + if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL)) | ||
| 52 | + { | ||
| 53 | + msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath); | ||
| 54 | + } | ||
| 55 | + | ||
| 56 | + if (!plugin_in_trusted_dir(normalized_plugin_path)) | ||
| 57 | + { | ||
| 58 | + msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path); | ||
| 59 | + } | ||
| 60 | + | ||
| 61 | + p->module = LoadLibraryW(normalized_plugin_path); | ||
| 62 | if (!p->module) | ||
| 63 | { | ||
| 64 | - msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname); | ||
| 65 | + msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path); | ||
| 66 | } | ||
| 67 | |||
| 68 | #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) | ||
| 69 | diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c | ||
| 70 | index e91e742..1e61ffa 100644 | ||
| 71 | --- a/src/openvpn/win32.c | ||
| 72 | +++ b/src/openvpn/win32.c | ||
| 73 | @@ -1532,27 +1532,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for | ||
| 74 | return (len >= 0 && len < size); | ||
| 75 | } | ||
| 76 | |||
| 77 | -static BOOL | ||
| 78 | -get_install_path(WCHAR *path, DWORD size) | ||
| 79 | +bool | ||
| 80 | +get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size) | ||
| 81 | { | ||
| 82 | WCHAR reg_path[256]; | ||
| 83 | - HKEY key; | ||
| 84 | - BOOL res = FALSE; | ||
| 85 | + HKEY hkey; | ||
| 86 | openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); | ||
| 87 | |||
| 88 | - LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); | ||
| 89 | + LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey); | ||
| 90 | if (status != ERROR_SUCCESS) | ||
| 91 | { | ||
| 92 | - return res; | ||
| 93 | + return false; | ||
| 94 | } | ||
| 95 | |||
| 96 | - /* The default value of REG_KEY is the install path */ | ||
| 97 | - status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); | ||
| 98 | - res = status == ERROR_SUCCESS; | ||
| 99 | + status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size); | ||
| 100 | |||
| 101 | - RegCloseKey(key); | ||
| 102 | + RegCloseKey(hkey); | ||
| 103 | |||
| 104 | - return res; | ||
| 105 | + return status == ERROR_SUCCESS; | ||
| 106 | } | ||
| 107 | |||
| 108 | static void | ||
| 109 | @@ -1561,7 +1558,7 @@ set_openssl_env_vars() | ||
| 110 | const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32"; | ||
| 111 | |||
| 112 | WCHAR install_path[MAX_PATH] = { 0 }; | ||
| 113 | - if (!get_install_path(install_path, _countof(install_path))) | ||
| 114 | + if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path))) | ||
| 115 | { | ||
| 116 | /* if we cannot find installation path from the registry, | ||
| 117 | * use Windows directory as a fallback | ||
| 118 | -- | ||
| 119 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb index 828cd5033e..b5ee31078b 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb | |||
| @@ -10,7 +10,11 @@ inherit autotools systemd update-rc.d | |||
| 10 | SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ | 10 | SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ |
| 11 | file://openvpn \ | 11 | file://openvpn \ |
| 12 | file://openvpn@.service \ | 12 | file://openvpn@.service \ |
| 13 | file://openvpn-volatile.conf" | 13 | file://openvpn-volatile.conf \ |
| 14 | file://CVE-2024-24974.patch \ | ||
| 15 | file://CVE-2024-27459.patch \ | ||
| 16 | file://CVE-2024-27903.patch \ | ||
| 17 | " | ||
| 14 | 18 | ||
| 15 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" | 19 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" |
| 16 | 20 | ||
