[Openvpn-devel,v2] interactive.c: disable remote access to the service pipe

Message ID 20240319151723.936-2-lev@openvpn.net
State Accepted
Headers show
Series [Openvpn-devel,v2] interactive.c: disable remote access to the service pipe | expand

Commit Message

Lev Stipakov March 19, 2024, 3:16 p.m. UTC
Remote access to the service pipe is not needed and might
be a potential attack vector.

For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged interactive service on a victim machine
and start openvpn processes remotely.

CVE: 2024-24974

Microsoft case number: 85925 

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Heiko Hund <heiko@openvpn.net>
---

 v2: add CVE and MSFT case number to the commit message

 src/openvpnserv/interactive.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Gert Doering March 19, 2024, 5:47 p.m. UTC | #1
As for the "plugin loading", this patch was sent "with ACK included" to
the openvpn-devel@ list because it was developed under embargo (CVE),
and reviewed and ACKed in a closed group.  I have verified that this
patch is identical to the that Heiko and the original reporter saw and
ACKed.

It's not very clear if there is a real attack angle here, but generally
speaking this is a local process which only the GUI running on the
same machine should be speaking to, so we do not want arbitrary machines
in the network to be able to connect to its pipe and "try things".

I have test compiled this on MinGW and GHA, but did not actually run it.

Your patch has been applied to the master, release/2.6 and release/2.5
branch (security relevant bugfix).

commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master)
commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6)
commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5)
Author: Lev Stipakov
Date:   Tue Mar 19 17:16:07 2024 +0200

     interactive.c: disable remote access to the service pipe

     Signed-off-by: Lev Stipakov <lev@openvpn.net>
     Acked-by: Heiko Hund <heiko@openvpn.net>
     Message-Id: <20240319151723.936-2-lev@openvpn.net>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 24e3f341..6a977b68 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2175,7 +2175,7 @@  CreateClientPipeInstance(VOID)
 
     openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance);
     pipe = CreateNamedPipe(pipe_name, flags,
-                           PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE,
+                           PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS,
                            PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
     if (pipe == INVALID_HANDLE_VALUE)
     {