960192 – (CVE-2013-2061) CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt

Bug 960192 (CVE-2013-2061) - CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt

Summary: CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-2061
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	960195 960196
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-06 16:25 UTC by Vincent Danen
Modified:	2019-09-29 13:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openvpn 2.3.1
Clone Of:
Environment:
Last Closed:	2013-06-04 17:46:26 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2013-05-06 16:25:51 UTC

According to the upstream security report [1] the following flaw was found in OpenVPN 2.3.0 and earlier:


OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested.

OpenVPN servers are typically configured to silently drop packets with the wrong HMAC. For this reason measuring the processing time of the packets is not trivial without a MITM position. In practice, the attack likely needs some target-specific information to be effective.

The severity of this vulnerability can be considered low. Only if OpenVPN is configured to use a null-cipher, arbitrary plain-text can be injected which can completely open up this attack vector.


A fix has been committed to git [2]; this is corrected in OpenVPN 2.3.1 and later.

[1] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
[2] https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee

Comment 1 Vincent Danen 2013-05-06 16:30:14 UTC

Note that OpenVPN is not built with PolarSSL support, so while it's currently unknown whether or not this affects OpenVPN built with OpenSSL, it's probably prudent to apply the patch, despite this being a low-impact flaw.

Comment 2 Gwyn Ciesla 2013-05-06 16:32:30 UTC

Pushing 2.3.1 to f18 and f17 as we speak.

Comment 3 Vincent Danen 2013-05-06 16:34:50 UTC

Nice, thank you Jon.  I will still file a tracking bug that you can reference as one is required for EPEL anyways.

Comment 4 Vincent Danen 2013-05-06 16:35:28 UTC

Created openvpn tracking bugs for this issue

Affects: epel-all [bug 960195]
Affects: fedora-all [bug 960196]

Comment 5 David Sommerseth 2013-05-06 17:56:03 UTC

For more information about this issue, please read this announcement:

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc

This is really a low security issue, and it seems most likely to be vulnerable only if --cipher none is used in the configuration.

Comment 6 Vincent Danen 2013-05-06 21:10:20 UTC

Right, that's why it's rated low impact here as well.  It's also unknown whether or not this affects openssl (which we use) or just the use of polarssl (which we don't use).  But, regardless, it's still a flaw and the patch is pretty straightforward, so there's no real reason _not_ to fix it.

Comment 7 Jan Lieskovsky 2013-05-07 07:39:57 UTC

The CVE identifier of CVE-2013-2061 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/05/06/6

Note You need to log in before you can comment on or make changes to this bug.