Message ID | 20240319151723.936-2-lev@openvpn.net |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v2] interactive.c: disable remote access to the service pipe | expand |
As for the "plugin loading", this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the that Heiko and the original reporter saw and ACKed. It's not very clear if there is a real attack angle here, but generally speaking this is a local process which only the GUI running on the same machine should be speaking to, so we do not want arbitrary machines in the network to be able to connect to its pipe and "try things". I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master) commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6) commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 17:16:07 2024 +0200 interactive.c: disable remote access to the service pipe Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@openvpn.net> Message-Id: <20240319151723.936-2-lev@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) {