Bug 1060877 (CVE-2017-12166)

Summary: VUL-0: CVE-2017-12166: openvpn: OpenVPN CVE-2017-12166: remote buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Nirmoy Das <nirmoy.das>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: astieger, nirmoy.das, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/192610/
Whiteboard: CVSSv2:SUSE:CVE-2017-12166:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-12166:10.0:(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-12166:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-12166:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-09-28 12:40:17 UTC
CVE-2017-12166

From: Guido Vranken <guidovranken@gmail.com>
Subject: [oss-security] OpenVPN CVE-2017-12166: remote buffer overflow
Date: Thu, 28 Sep 2017 12:06:51 +0200


This concerns a remote buffer overflow vulnerability in OpenVPN. It
has been fixed in OpenVPN 2.4.4 and 2.3.18, released on 26 Sept 2017.
It is suspected that only a small number of users is vulnerable to
this issue, because it requires having explicitly enabled the outdated
‘key method 1’.

The OpenVPN advisory can be found here:
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166

In ssl.c, key_method_1_read() calls read_key() which doesn’t perform
adequate bounds checks. cipher_length and hmac_length are specified by
the
peer:

1643 uint8_t cipher_length;
1644 uint8_t hmac_length;
1645
1646 CLEAR(*key);
1647 if (!buf_read(buf, &cipher_length, 1))
1648 {
1649     goto read_err;
1650 }
1651 if (!buf_read(buf, &hmac_length, 1))
1652 {
1653     goto read_err;
1654 }

And this many bytes of data are then read into key->cipher and key->hmac:

1656 if (!buf_read(buf, key->cipher, cipher_length))
1657 {
1658     goto read_err;
1659 }
1660 if (!buf_read(buf, key->hmac, hmac_length))
1661 {
1662     goto read_err;
1663 }

In other words, it’s a classic example of bounds check resulting in a
buffer overflow.

Like my previous set of OpenVPN vulnerabilities, this issue was also
found with fuzzing.

Guido


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12166
http://seclists.org/oss-sec/2017/q3/563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
Comment 2 Swamp Workflow Management 2017-10-24 13:07:54 UTC
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,1060877,995374
CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
Comment 3 Swamp Workflow Management 2017-10-24 13:08:32 UTC
SUSE-SU-2017:2839-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
SUSE OpenStack Cloud 6 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP3 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP2 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-LTSS (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openvpn-2.3.8-16.20.1
Comment 4 Andreas Stieger 2017-10-27 18:38:52 UTC
release for Leap, done
Comment 5 Swamp Workflow Management 2017-10-27 22:17:01 UTC
openSUSE-SU-2017:2892-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
openSUSE Leap 42.3 (src):    openvpn-2.3.8-14.1
openSUSE Leap 42.2 (src):    openvpn-2.3.8-8.13.1
Comment 6 Marcus Meissner 2017-10-28 13:09:41 UTC
we missed openvpn-openssl1 ( SUSE:SLE-11-SP3:Update/openvpn-openssl1 )

can you ad fixes from the current openvpn round to this and submit?
Comment 8 Marcus Meissner 2017-12-01 15:49:30 UTC
released
Comment 9 Swamp Workflow Management 2017-12-01 17:11:27 UTC
SUSE-SU-2017:3177-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openvpn-openssl1-2.3.2-0.10.3.1