Hi, On Thu, May 11, 2017 at 11:00:57AM +0200, Steffan Karger wrote: > Commit 358f513c changed the maximum size of accepted control channel > packets. This was needed for crypto negotiation (which is needed for a > nice transition to a new default cipher), but exposed a DoS > vulnerability. The vulnerability was found during the OpenVPN 2.4 code > audit by Quarkslab (commisioned by OSTIF). > > To fix the issue, we should not ASSERT() on external input (in this case > the received packet size), but instead gracefully error out and drop the > invalid packet. > > Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> > --- > Changes.rst | 5 +++++ > src/openvpn/ssl.c | 7 ++++++- > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/Changes.rst b/Changes.rst > index 183e9fa..cc6ca2b 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -109,6 +109,11 @@ Version 2.3.15 > > Security fixes > -------------- > +- Fix a pre-authentication denial-of-service attack on both clients and > servers. > + By sending a too-large control packet, OpenVPN 2.3.12 and newer can be > forced > + to hit an ASSERT() and stop the process. If ``--tls-auth`` or > ``--tls-crypt`` > + is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
When applying, please remove the "--tls-crypt" reference as 2.3 does not have this (so it's confusing at best). > + can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) > - Fix an authenticated remote DoS vulnerability that could be triggered by > causing a packet id roll over. An attack is rather inefficient; a peer > would need to get us to send at least about 196 GB of data. > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 32d0b6b..c8f093d 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -3228,7 +3228,12 @@ tls_pre_decrypt (struct tls_multi *multi, > /* Save incoming ciphertext packet to reliable > buffer */ > struct buffer *in = reliable_get_buf > (ks->rec_reliable); > ASSERT (in); > - ASSERT (buf_copy (in, buf)); > + if (!buf_copy (in, buf)) > + { > + msg (D_MULTI_DROPPED, > + "Incoming control channel packet too big, > dropping."); > + goto error; > + } > reliable_mark_active_incoming (ks->rec_reliable, > in, id, op); > } ACK. Same patch as in 2.4+master. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel