Ubuntu
openvpn package

[CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration

Bug #256621 reported by Till Ulen
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Debian)
Fix Released
Unknown
openvpn (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Won't Fix
Low
Unassigned

Bug Description

Binary package hint: openvpn

CVE-2008-3459 description:

"Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when running on non-Windows systems, allows remote servers to execute arbitrary commands via crafted (1) "lladdr" and (2) "iproute" configuration directives, probably related to shell metacharacters."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3459

More information:
http://openvpn.net/index.php/documentation/change-log/changelog-21.html

Ubuntu Hardy might be affected.

CVE References

Revision history for this message
Till Ulen (tillulen) wrote :

Adding CVE reference: CVE-2008-3459

Revision history for this message
Tristan Hill (stan) wrote :

see also debian's equivalent bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493488

Bug Watch Updater (bug-watch-updater)
Changed in openvpn:
status: Unknown → Fix Released
Revision history for this message
Michael Bienia (geser) wrote :

I've filed a sync request of openvpn 2.1~rc9-3 from Debian unstable to intrepid (bug 258767).

Revision history for this message
Thierry Carrez (ttx) wrote :

To fix this in hardy (rc7-based, probably affected) :

Difficult to extract a minimal patch from the RC8 to RC9 diff. I removed what was obviously windowsish and the version number updates. The problem is that the exact nature of the vulnerability doesn't seem to have been disclosed, that the upstream fix is introducing behavioral changes and that the real fix is drowned in a sea of security hardening efforts. What we are looking for must be in route.c, lladdr.c, maybe in multi.c...

I'll try to get more info from upstream.

Revision history for this message
Thierry Carrez (ttx) wrote :

Minimal patch from James Yonan (upstream)

This patch simply removes the affected features, which is probably a little too excessive for our taste.

Revision history for this message
didier (did447-deactivatedaccount) wrote :

Hi,

In my understanding it only removes abilities to set remotely the route *software* (/sbin/route , whatever).
Something that:
- I can't find a case why you may want to do such thing.
- Is an undocumented feature.

I haven't tested it but from quickly reading the code you still can remotely change route after applying the patch.

Didier

Jamie Strandboge (jdstrand)
Changed in openvpn:
status: New → Fix Released
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking Hardy status as "Won't Fix" as this package is not eligible for 5 year support.

Changed in openvpn (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.