From patchwork Tue Mar 19 15:16:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 3657 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id sk10csp1970160mab; Tue, 19 Mar 2024 08:26:09 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWJ6cY6lEF6cg3hOIXc3cL1V90LuFpww2Ea15HeKzrs89kIAHfiSIwZIgKw2U3LXSrAFr77sAvRH8U/uMyI5PblRh9o5dM= X-Google-Smtp-Source: AGHT+IFGaV2WutEZtTfNdORUODCXd0V1Q/dX5VV62NpRzskiaOI7hq6oD2rJhWu/41h8kqlej6J7 X-Received: by 2002:a05:6a00:2d09:b0:6e7:256b:d47 with SMTP id fa9-20020a056a002d0900b006e7256b0d47mr2835996pfb.0.1710861968984; Tue, 19 Mar 2024 08:26:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710861968; cv=none; d=google.com; s=arc-20160816; b=fRT/TuRjEN41dqy/f3Xnseifra9I+DPZ/oXM+v5VF3iGSI1dzxXt5oRPUB6+dsa/I5 hAYdCMmjv7wxeCIJG7B5/6RzrajKtGVqiTrzCAF/YzeFinD0f7DKkna+tqi18kLiYcSN cK+8dV+7oqv9Dpo+wKPz2NNkdeMaYsb/qbEaM1ckgScbAVjSj+rsWyEcrswtxw/X2DXC TAV488q5ErPx+5zr0/LRLkdl9lU00oVOPLqkkVksyv7d/Z2OsRvCo96hYfqDsrzLLVGz +nFZ8+8FliixYqhaeszYGKtp2s9e0KlGg733rcXPqDcRRDqm7doZSmpbCQssPWkmyNZw EgLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=DB38HH1sCq56g8P/GVgAKasl2ASiYf5CYBcBgrmiXJQ=; fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=; b=Wt7bjBZtCngMg9Ko21I1LszE6PmoyJfeg1/zmuEil4Y07zZWXXYLtQ5s5B8L/C2Sid drm5M2rx3yUtT2IDXxlLjH6sLl9jto3x1AKZgVgNsXZ3WQhKxJTsrf3KXR7W8kud1m9g 5jIqpzd1HuKwU+V74FekPCn8rnZ4dB2vLzrzPNXLW+rJCUab7zDXRYoW8KJ/7CCgyMN9 8czcJnB4Pg6MscEStRs7P7cs1JJE4WowLdy6fZxMQmrchwZdbJFBG2knds6mAHe8/VrC qz/My79k3NqK7rfUnsuYL9650A1FdMXuw1WtgVLYApNK7yjn5/Fg0n0lXzBsK4lO5Hdh Pumw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VOs+PTg9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YBdrVZYQ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="hG/LAGIU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id w4-20020a63d744000000b005dc42755289si10420283pgi.488.2024.03.19.08.26.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2024 08:26:08 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VOs+PTg9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YBdrVZYQ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="hG/LAGIU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rmbLY-0005IF-Og; Tue, 19 Mar 2024 15:25:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rmbLX-0005I9-N0 for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 15:25:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CKcF09gRRxVP1kYehjXwFe4l11l5uELCNdBP28d4U30=; b=VOs+PTg9Dpknq4/i4cN3ultux3 1I/dc2uGrPY4Gf5u/TljtdMySX9S0pUBB1ne0bdiVX/Jka6h5PJodnHMoYeAlYNtpqhHUZw2FGFh6 zwXiFLKpd1i1TB0aTHv80ir5M3XVCabtbf35+kNfitjuUxW+UjMlm8UyPk4b9VYygb7s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CKcF09gRRxVP1kYehjXwFe4l11l5uELCNdBP28d4U30=; b=YBdrVZYQDqlZXhlE/5Zji+xMyb u8vQpaV3MAsqD+r6mUQUjq4YAg1fN1tKtkSCSc68M6mRRAaSINpORo7TGS1deWSRp3qkjWmmdR/A3 VHHOHokfQ/z7p3csnW/FtxryEmozq0BWEC3IkTJ6BYH1Qv9bZWb3Ybf5/u1nrxlEPPrk=; Received: from mail-wr1-f52.google.com ([209.85.221.52]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rmbLM-0005Nt-8e for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 15:25:47 +0000 Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-33fd8a2a407so1667011f8f.2 for ; Tue, 19 Mar 2024 08:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710861937; x=1711466737; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CKcF09gRRxVP1kYehjXwFe4l11l5uELCNdBP28d4U30=; b=hG/LAGIUhnd5sokBtNf/2la7UKadE/bZOPnPU8sgsjLdeTx97YOx6Pgz/B/mAfh3G7 bNJgfuII5AotSKjJblbkylVMM0taMxjFhmSmXroiWhyZAug5E3tOhYNDL1gTSiPY+eYJ cuZwLl8/ERx1oS15amqfMWKZJs4zjA9efiTarFCkLBeMO13E8NdeHS8gnRdA2U/eQnWf Cp1WFEdbsnBg8pEmOqCcVGvh4p8Bt8GfxWcFBoSukSH/YOaQn0VLJg1cxIkkPGAbad1W Rz9oH/kQI4nUN2dzhW7KIT3YsVduPsbI5QB2VAjnK9Kgg+yGFlPiWLNQQctnSGqv/54d cPEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710861937; x=1711466737; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CKcF09gRRxVP1kYehjXwFe4l11l5uELCNdBP28d4U30=; b=wQAV0E4HBZ36EdXleWJL4+7KKqzFQuEUYGHyiicR8DMT7AI2Ps4bXxppGEXrhdY+1/ 3e8PBfc3g1uuC/GX4vCwe1rDugtNB5S6kNIiO4XPAgbhl7MbLGjk90vkQ9id29K62uJy MXmix/nfExfjIJdmr760K9lSj5t1UT3HR2VyHWupRbXG2G/QKHxhhBLSiTYO594MHU3m eMzFpBaUeCl5aume7oz3Ou+tKsSeO8n73cevDClSvDSaqPa45qUnxNe9PACG0P/c0SZt xCfHuu8CtJaPa7BBQwVK96yL3x3INvVdfZpEA9VAcV3IR0PW1vu2DjhtlmZ22Jc2tyBC xaZA== X-Gm-Message-State: AOJu0YwoaIGZV1BNpVDboYrR9lWt5iVEEPYuuv5ZEzYVsjzY+E9aSR/A uLSrqNkNEDNQCxXlnhC7jFlfy2Kgzg1zJiJBgsAAffPSUvvkB3WCvS5bE8mOUbo= X-Received: by 2002:a05:6000:184b:b0:33f:8e6d:ab7c with SMTP id c11-20020a056000184b00b0033f8e6dab7cmr7969804wri.71.1710861936820; Tue, 19 Mar 2024 08:25:36 -0700 (PDT) Received: from localhost.localdomain ([2001:999:404:a6fe:8454:770b:5c0f:3333]) by smtp.gmail.com with ESMTPSA id a26-20020a5d457a000000b0033e7e9c8657sm12584352wrc.45.2024.03.19.08.25.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Mar 2024 08:25:36 -0700 (PDT) From: Lev Stipakov X-Google-Original-From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Mar 2024 17:16:07 +0200 Message-ID: <20240319151723.936-2-lev@openvpn.net> X-Mailer: git-send-email 2.42.0.windows.2 In-Reply-To: <20240319135701.1301-2-lev@openvpn.net> References: <20240319135701.1301-2-lev@openvpn.net> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privilege [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.52 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.52 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rmbLM-0005Nt-8e Subject: [Openvpn-devel] [PATCH v2] interactive.c: disable remote access to the service pipe X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov , Heiko Hund , Vladimir Tokarev Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1793963290531534254?= X-GMAIL-MSGID: =?utf-8?q?1793968800326921945?= Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. CVE: 2024-24974 Microsoft case number: 85925 Reported-by: Vladimir Tokarev Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- v2: add CVE and MSFT case number to the commit message src/openvpnserv/interactive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 24e3f341..6a977b68 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID) openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service"), service_instance); pipe = CreateNamedPipe(pipe_name, flags, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); if (pipe == INVALID_HANDLE_VALUE) {