Re: CVE issue flagged in OpenVPN

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3475 bytes --]

Hi Michael,

On 08/11/2021 17:25, Michael Tremer wrote:
> Hello Adolf,
> 
> Thank you for raising this.
> 
>> On 8 Nov 2021, at 13:59, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hallo all,
>>
>> I had thought, from checks I had made, that there were no security related issues with OpenVPN after the release of 2.5.0 that is currently in IPFire.
>>
>> However it has been highlighted in the forum that there is CVE-2020-15078. I have had a look at this and very specific conditions have to be in place for this to be feasible.
> 
> IPFire systems should not be vulnerable in any configuration because we do not use the affected feature. However, we should of course still upgrade to a fixed version.
> 
>> So I believe that for the majority of IPFire users this will not be an issue but it could occur if someone is also using one of the OpenVPN plug-ins that are highlighted in the wiki and is also using "--auth-gen-token" or a user-specific token auth solution.
>>
>> While the above is unlikely it is not impossible. A fix for this CVE was put into 2.5.2
>>
>> I have looked through this release and 2.5.1 to see if there are any changes that might cause a problem for people using earlier features. I don't believe so from first glance but I am not 100% sure. I would want to very thoroughly test it to be sure there would be no unexpected impact.
>>
>> Therefore what I am doing is an update that leaves the 2.5.0 source file being used but where I will apply the patches from the commits in 2.5.2 that fix this CVE.
> 
> We could in theory cherry-pick just the fix for the vulnerability, but on the other hand I do not see anything that has DEPRECATION WARNING in big letters.
> 
> Also 2.5.4 is out already: https://github.com/OpenVPN/openvpn/releases/tag/v2.5.4
> 
>> This will give us a quick fix to the CVE in IPFire so even any small chance is closed and then I will look more closely at the later/latest versions and build them and test them to see if I can find any issue, similarly to how Erik and I tested out that 2.5.0 would not break anything. This way we can take time to make sure everything is really working as expected.
>>
>>
>> If there is any disagreement to my outlined approach above, please let me know.
>>
>> PS:- I have also found why I missed the the existence of the CVE. I was only reading the headlines of the changes from 2.4 to 2.5.4 and the CVE's were only mentioned in the detailed change notes from the involved versions. I know better now how to keep a correct eye on the changes.
> 
> Usually this should be at least referred to at the top (“Includes security fixes”), or there should be a separate security advisory.
> 
> I would suggest trying to upgrade to 2.5.4 and see whether that introduces any new regressions. The minor versions should not introduce any change in behaviour.
No problem. I will give 2.5.4 a go and see how it goes.
Trying just the commit fixes for the CVE has just failed anyway because it couldn't find a member called 'multi_state' so the "simple" fix is not going to be so "simple" anyway.
> 
> However, we are facing a lot of change with 2.6: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
Yes, just had a look at it. All those old weak ciphers will be actually removed. However I would really hope no one is still using ciphers like Blowfish.

Regards,
Adolf.
> 
> Best,
> -Michael
> 
>>
>> Regards,
>>
>> Adolf.
>>
>