From debian at rogerprice.org  Sat Apr  7 13:05:54 2018
From: debian at rogerprice.org (Roger Price)
Date: Sat, 07 Apr 2018 15:05:54 +0200
Subject: [Secure-testing-team] Bug#895135: openvpn client DNS security hole
	in update-resolv-conf
Message-ID: <152310635483.11152.11942026814437238600.reportbug@maria>

Package: openvpn
Version: 2.4.0-6+deb9u2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
   * What led up to the situation?
openvpn client received DNS from server but silently used local, possibly
compromised DNS server.

In the stretch openvpn server (2.4.0-6+deb9u2) the configuration file
server.conf contains the declarations:

 push "dhcp-option DNS 212.27.40.241"
 push "dhcp-option DNS 212.27.40.240"

In the stretch 32 bit client the configuration file clent.conf contains the
declarations:

 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

When the client connects, the client log reports:

 Wed Apr  4 13:32:01 2018 us=398019
     PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
     dhcp-option DNS 212.27.40.241,dhcp-option DNS 212.27.40.240,
     route 10.8.0.1,topology net30,ping 10,ping-restart 120,
     ifconfig 10.8.0.6 10.8.0.5,peer-id 0'
 ...
 Wed Apr  4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500
     1561 10.8.0.6 10.8.0.5 init

Note the absence of any DNS error message.  I tested for correct DNS setup:

 rprice at kananga ~ dig debian.org | grep SERVER
 ;; SERVER: 10.218.0.1#53(10.218.0.1)

Clearly not the required DNS server. The file /etc/resolv.conf still contains:

 # Generated by NetworkManager
 nameserver 10.218.0.1

Looking more closely at script /etc/openvpn/update-resolv-conf, it begins with
the line

 [ -x /sbin/resolvconf ] || exit 0

File /sbin/resolvconf is not present, because package resolvconf is not yet
installed (sysadmins are overworked and forget things).  It is only suggested
and not required for openvpn, so the script fails silently!  This looks to me
like a serious security problem.  Joe Road-Warrior is out there, connected to
the "free" Wifi.  He follows corporate instructions to turn on his openvpn
client, but because of the exit 0 he is still using the local thoroughly
compromised DNS server.

The exit 0 needs to be replaced by

 1. A message in the log "Looks like you have forgotten package resolvconf"
 2. An exit 1 to assure that the openvpn client cannot start.
 3. Nice to have: A notification to Joe that his openvpn setup is broken.

Thanks, Best Regards, Roger

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-4-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u1
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u2
ii  libsystemd0            232-25+deb9u1
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u1
ii  resolvconf  1.79

-- debconf information excluded



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u1
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u1
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u2
pn  resolvconf  <none>

-- Configuration Files:
/etc/default/openvpn changed [not included]

-- debconf-show failed