Bug 1060877 - (CVE-2017-12166) VUL-0: CVE-2017-12166: openvpn: OpenVPN CVE-2017-12166: remote buffer overflow
(CVE-2017-12166)
VUL-0: CVE-2017-12166: openvpn: OpenVPN CVE-2017-12166: remote buffer overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Nirmoy Das
Security Team bot
https://smash.suse.de/issue/192610/
CVSSv2:SUSE:CVE-2017-12166:10.0:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-28 12:40 UTC by Marcus Meissner
Modified: 2017-12-01 17:11 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-28 12:40:17 UTC
CVE-2017-12166

From: Guido Vranken <guidovranken@gmail.com>
Subject: [oss-security] OpenVPN CVE-2017-12166: remote buffer overflow
Date: Thu, 28 Sep 2017 12:06:51 +0200


This concerns a remote buffer overflow vulnerability in OpenVPN. It
has been fixed in OpenVPN 2.4.4 and 2.3.18, released on 26 Sept 2017.
It is suspected that only a small number of users is vulnerable to
this issue, because it requires having explicitly enabled the outdated
‘key method 1’.

The OpenVPN advisory can be found here:
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166

In ssl.c, key_method_1_read() calls read_key() which doesn’t perform
adequate bounds checks. cipher_length and hmac_length are specified by
the
peer:

1643 uint8_t cipher_length;
1644 uint8_t hmac_length;
1645
1646 CLEAR(*key);
1647 if (!buf_read(buf, &cipher_length, 1))
1648 {
1649     goto read_err;
1650 }
1651 if (!buf_read(buf, &hmac_length, 1))
1652 {
1653     goto read_err;
1654 }

And this many bytes of data are then read into key->cipher and key->hmac:

1656 if (!buf_read(buf, key->cipher, cipher_length))
1657 {
1658     goto read_err;
1659 }
1660 if (!buf_read(buf, key->hmac, hmac_length))
1661 {
1662     goto read_err;
1663 }

In other words, it’s a classic example of bounds check resulting in a
buffer overflow.

Like my previous set of OpenVPN vulnerabilities, this issue was also
found with fuzzing.

Guido


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12166
http://seclists.org/oss-sec/2017/q3/563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166
https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
Comment 2 Swamp Workflow Management 2017-10-24 13:07:54 UTC
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,1060877,995374
CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
Comment 3 Swamp Workflow Management 2017-10-24 13:08:32 UTC
SUSE-SU-2017:2839-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
SUSE OpenStack Cloud 6 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP3 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP2 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Server 12-LTSS (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    openvpn-2.3.8-16.20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openvpn-2.3.8-16.20.1
Comment 4 Andreas Stieger 2017-10-27 18:38:52 UTC
release for Leap, done
Comment 5 Swamp Workflow Management 2017-10-27 22:17:01 UTC
openSUSE-SU-2017:2892-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
openSUSE Leap 42.3 (src):    openvpn-2.3.8-14.1
openSUSE Leap 42.2 (src):    openvpn-2.3.8-8.13.1
Comment 6 Marcus Meissner 2017-10-28 13:09:41 UTC
we missed openvpn-openssl1 ( SUSE:SLE-11-SP3:Update/openvpn-openssl1 )

can you ad fixes from the current openvpn round to this and submit?
Comment 8 Marcus Meissner 2017-12-01 15:49:30 UTC
released
Comment 9 Swamp Workflow Management 2017-12-01 17:11:27 UTC
SUSE-SU-2017:3177-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1060877
CVE References: CVE-2017-12166
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openvpn-openssl1-2.3.2-0.10.3.1