Bug 1489559 - openvpn LDAP plugin binds before StartTLS
Summary: openvpn LDAP plugin binds before StartTLS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: openvpn-auth-ldap
Version: epel7
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Sean Callaway
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-07 17:47 UTC by Patrick MacArthur
Modified: 2019-02-11 01:17 UTC (History)
4 users (show)

Fixed In Version: openvpn-auth-ldap-2.0.3-15.el7 openvpn-auth-ldap-2.0.3-16.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-11 01:17:49 UTC


Attachments (Terms of Use)
Patch for fixing bind before STARTTLS in 2.0.3 (1.09 KB, patch)
2017-09-13 17:52 UTC, Sean Callaway
no flags Details | Diff

Description Patrick MacArthur 2017-09-07 17:47:39 UTC
Description of problem:
Upstream issue https://github.com/threerings/openvpn-auth-ldap/issues/19.

Basically the code binds before doing starttls, which (1) causes the bind password to be transmitted in plaintext, and (2) implicitly unbinds making the bind useless.

Version-Release number of selected component (if applicable):
openvpn-auth-ldap-2.0.3-14.1el7
(and probably all previous versions)

How reproducible:
Install openvpn-auth-ldap, set up a VPN server instance to use it, and set BindDN and Password in the Authorization section of the auth-ldap.conf file, and set RequireGroup=true and set up a group.

Steps to Reproduce:
1. Set up a RHEL 7 freeipa instance with at least one user and one group.
2. Set up VPN server as described above. Set up openvpn-auth-ldap to authenticate against the freeipa LDAP server and require the user to be a member of at least one group.
3. Start openvpn.
4. Connect from a client system.

Actual results:
Client successfully authenticates and binddn password is not transmitted in plaintext.

Expected results:
Authentication fails due to not being able to query the group membership (since the bind has been reset by starttls). The bind password is transmitted in plaintext since the bind occurred before starttls.

Additional info:
Upstream patch at https://github.com/threerings/openvpn-auth-ldap/commit/4a87c1a59717acd5de8831c9561b9fe338efa9c5#diff-6b63bb233e57531d2583d0a7a36726d4

There was no upstream CVE issued for this even though it is a huge security hole IMHO. Mitigated by the fact that most openldap server deployments will not require a binddn to access group information.

Comment 1 Sean Callaway 2017-09-11 18:37:20 UTC
Will be doing a new build and some initial tests this week.

Comment 2 Sean Callaway 2017-09-13 17:48:57 UTC
Patch doesn't match the version of auth-ldap we are building, so generating a new patch for the same fix.

Comment 3 Sean Callaway 2017-09-13 17:52:36 UTC
Created attachment 1325549 [details]
Patch for fixing bind before STARTTLS in 2.0.3

Comment 4 Sean Callaway 2017-09-13 18:48:25 UTC
New build should be up in testing shortly.

https://koji.fedoraproject.org/koji/buildinfo?buildID=970112

Comment 5 Fedora Update System 2017-09-21 15:20:34 UTC
openvpn-auth-ldap-2.0.3-15.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-52b8147c68

Comment 6 Fedora Update System 2017-09-22 05:50:31 UTC
openvpn-auth-ldap-2.0.3-15.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-52b8147c68

Comment 7 Fedora Update System 2017-12-17 20:32:01 UTC
openvpn-auth-ldap-2.0.3-15.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 aaronmaxlevy 2019-01-22 22:59:00 UTC
This bug was not fixed unfortunately. While the patch definition was added to the spec file, it isn’t actually applied and so this bug is still occurring.

Comment 9 Sean Callaway 2019-01-23 16:48:36 UTC
(In reply to aaronmaxlevy from comment #8)
> This bug was not fixed unfortunately. While the patch definition was added
> to the spec file, it isn’t actually applied and so this bug is still
> occurring.

Ah! I see it! Not sure how that slipped through. Will work on fixing that today.

Comment 10 Sean Callaway 2019-01-23 17:40:16 UTC
Build underway: https://koji.fedoraproject.org/koji/buildinfo?buildID=1181769

Comment 11 Sean Callaway 2019-01-23 17:49:31 UTC
Corrected RPMs have been built. Once they make it into the testing repo, please confirm the fix.

Comment 12 Fedora Update System 2019-01-26 18:58:47 UTC
openvpn-auth-ldap-2.0.3-16.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-040983bb83

Comment 13 Fedora Update System 2019-01-27 00:09:12 UTC
openvpn-auth-ldap-2.0.3-16.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-040983bb83

Comment 14 Fedora Update System 2019-02-11 01:17:49 UTC
openvpn-auth-ldap-2.0.3-16.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.