Re: [Openvpn-users] Is 2.2.1 non-Windows "safe"?

[Gert D. <ge...@gr...>]

Hiya,

On Mon, Oct 06, 2014 at 07:45:21AM -0400, Jonathan K. Bullard wrote:
> In an article [1], OpenVPN developer Gert Doering is quoted as saying:
> 
> "What you want to do from OpenVPN???s point of view is to ensure that
> you???re not using a 2.2.x version anymore, *and* that you just do not
> run your scripts using bash"
> 
> Is there a problem with 2.2.1 generally, or just with the Windows versions?

2.2.x can use system() to run scripts, which will expose you to the 
shellshock vulnerability on systems where /bin/sh is an alias to bash
(because system() will call "/bin/sh -c $yourcommand" under the hood).

So even if your commands are all save, you might still be shellshock-
vulnerable, *if* you use 2.2.x *and* have "script-security system" in 
your config *and* /bin/sh is bash.  So this is a lot of "ifs", and I
should have made this more clear in my response.

In 2.3.0, David removed support for system(), and OpenVPN now exclusively
uses fork()/exec()/wait() to achieve that functionality:

-----------------------------------------------------------------
commit 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2
Author: David Sommerseth <da...@re...>
Date:   Thu Oct 25 14:22:30 2012 +0200

    Remove the support for using system() when executing external programs or scripts
    
    This patch removes the support for the system() call, and enforces the
    usage of execve() on the *nix platform and CreateProcessW() on Windows.
    This is to enhance the overall security when calling external scripts.
    Using system() is prone to shell expansions, which may lead to security
    breaches.  Which is also why the execve() approach has been the default
    since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
    re-introduced the system() in Nov. 2008.
-----------------------------------------------------------------

Looking at MacOS X, it *does* use "bash" for /bin/sh, so you really do
want to upgrade that - and do not use any scripts that use "#!/bin/sh" or
"#!/bin/bash" there before you have upgraded.  Using OpenVPN 2.2.1 or 2.3.4 
would only make a difference if the "system" flag is used in the 
"script-security" command - so: don't do that.


> I assumed from Gert's quote that 2.2.1 is vulnerable (to something),
> so I removed it from the most recent version of Tunnelblick so it
> includes only 2.3.4. But that is causing problems for a few users [2],
> [3], so I may add it back in the next release if it is "safe".
> (Tunnelblick can contain multiple versions of OpenVPN; the user
> chooses which one to use.)

The issue in [2] might actually be due to some "script-security" side
effect - I can't off-hand come up with an example why this should be
the case (the change to require "script-security 2" to run any scripts
at all was introduced in 2.1_rc14), but it would be good to see the 2.3.4
logs what it tries and how it fails.

[3] also puzzles me - there should not be any change between 2.2 and 
2.3 regarding pushed routes, and my wife is using Tunnelblick with 
OpenVPN 2.3.4 on her Macs just fine...

[..]
> But was Gert really warning not to use the **Windows** versions of
> 2.2.x (because of the Heartbleed vulnerability in the OpenSSL built
> into the Windows versions)?

No, that was strictly in the context of shellshock.

Apologies for the confusion caused.  That question came in on quite short
notice, and I might have spent a bit more thought on the wording of the 
response (I didn't assume it would go 1:1 to the article, without any
questions for clarification if anything was unclear).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             ge...@gr...
fax: +49-89-35655025                        ge...@ne...