520918 – openvpn crashes on invalid authentication

Bug 520918 - openvpn crashes on invalid authentication

Summary: openvpn crashes on invalid authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openvpn
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Steven Pritchard
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-02 20:36 UTC by Vincent Danen
Modified:	2010-01-28 01:02 UTC (History)
CC List:	1 user (show)
Fixed In Version:	2.1.1-2.fc11
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-01-14 01:23:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vincent Danen 2009-09-02 20:36:32 UTC

During the investigation of a Debian bug report regarding file exhaustion when LDAP+TLS authentication is used, I found that the openvpn server terminates with SIGTERM when there is a valid connection that requires authentication but the password is incorrect.(regardless of whether the
 user account exists or not). 

 The client and server are setup with TLS support, the server uses LDAP for authentication (also over TLS, but I don't think this matters) via PAM.  It looks as though the crash is due to /sbin/ip not being able to delete the tun0 device (although I'm not sure why it wants to).

On the server, I get this output:

# openvpn --config /etc/openvpn/openvpn.conf --script-security 2
Wed Sep  2 14:16:49 2009 OpenVPN 2.1_rc15 i586-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 26 2009
Wed Sep  2 14:16:49 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Sep  2 14:16:49 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Sep  2 14:16:50 2009 WARNING: file '/etc/openvpn/ServerKey.pem' is group or others accessible
Wed Sep  2 14:16:50 2009 WARNING: file '/etc/openvpn/tls-auth.key' is group or others accessible
Wed Sep  2 14:16:50 2009 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file
Wed Sep  2 14:16:50 2009 LZO compression initialized
Wed Sep  2 14:16:50 2009 TUN/TAP device tun0 opened
Wed Sep  2 14:16:50 2009 /sbin/ip link set dev tun0 up mtu 1500
Wed Sep  2 14:16:50 2009 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Sep  2 14:16:50 2009 GID set to nobody
Wed Sep  2 14:16:50 2009 UID set to nobody
Wed Sep  2 14:16:50 2009 UDPv4 link local (bound): [undef]:1194
Wed Sep  2 14:16:50 2009 UDPv4 link remote: [undef]
AUTH-PAM: BACKGROUND: user 'george' failed to authenticate: User not known to the underlying authentication module
Wed Sep  2 14:17:07 2009 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Sep  2 14:17:07 2009 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Sep  2 14:17:07 2009 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.8.0.1 10.8.0.2'
Wed Sep  2 14:17:07 2009 [odxfc11.annvix.ca] Peer Connection Initiated with 192.168.251.130:1194
Wed Sep  2 14:17:08 2009 Initialization Sequence Completed
Wed Sep  2 14:17:10 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Sep  2 14:17:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Sep  2 14:17:13 2009 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Wed Sep  2 14:17:13 2009 Linux ip addr del failed: external program exited with error status: 2
Wed Sep  2 14:17:13 2009 SIGTERM[soft,delayed-exit] received, process exiting

The server is Fedora 11 32bit, the client is Fedora 11 64bit.  Both are running in vmware.  The server is using LDAP for authentication via PAM.  The server is using the following for it's config:

dev tun
ifconfig 10.8.0.1 10.8.0.2
#secret static.key
tls-server
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/tls-auth.key
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/ServerCert.pem
key /etc/openvpn/ServerKey.pem
proto udp

and the client is using:

remote 192.168.251.129
dev tun
ifconfig 10.8.0.2 10.8.0.1
#secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
auth-user-pass
tls-client
pull
ca /etc/openvpn/cacert.pem
tls-auth /etc/openvpn/tls-auth.key
proto udp
client
cert /etc/openvpn/ClientCert.pem
key /etc/openvpn/ClientKey.pem

This could be construed as a low impact security issue (DoS) except for all of the TLS stuff involved (which looks to be a pre-requisite for user/pass authentication).  This means only a trusted user can DoS the openvpn server by providing bad credentials (either on purpose or by mistake).

I don't think openvpn should be crashing if it can't remove the route (I'm actually not even sure why it's doing that... I would think it would close the connection and keep listening for future connections).  I'm not very proficient with openvpn, so I'm not sure what the expect behaviour here is, but this sure feels wrong.  Especially considering entries like this in /var/log/messages:

Sep  2 12:00:35 odvfc11 kernel: openvpn[32162]: segfault at 0 ip 00c2aa4a sp bfb77ce0 error 4 in openvpn-auth-pam.so[c2a000+2000]

Comment 1 Fedora Update System 2010-01-05 15:26:38 UTC

openvpn-2.1.1-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openvpn-2.1.1-2.fc12

Comment 2 Fedora Update System 2010-01-07 01:00:22 UTC

openvpn-2.1.1-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openvpn'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0249

Comment 3 Fedora Update System 2010-01-14 01:21:09 UTC

openvpn-2.1.1-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openvpn'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0504

Comment 4 Fedora Update System 2010-01-14 01:23:05 UTC

openvpn-2.1.1-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2010-01-28 01:02:26 UTC

openvpn-2.1.1-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.