Possible Security Bug: Client Override



  • Hi,

    i am using pfSense with OpenVPN and Client Overrides. Client Overrides works with Usernames. Everything works fine except one thing:

    If the user adds a "space" in the OpenVPN Client after his Username he will be authenticated successfully ! But OpenVPN then didn't find any Clientoverides for that User and i see in the OpenVPN Logs

    openvpn: user 'username ' authenticated

    See the space after username … and yes there is no client override for username followed by a space. Main Problem is, then default Configuration works and that could causes that he becomes some IP Adresses which are used special. So that's also a Security Bug for me.

    OpenVPN should trimm that Username he got (well to be hones, OpenVPN Client should already trim that)

    Regards Mario



  • That does sound like a problem in the username handling with the OpenVPN service. As a quick workaround you can try to add this option into the custom options of your server:

    
    ccd-exclusive
    
    

    This will require that for successful authentication the user must have a client override file. This should make 'username ' fail but 'username' authenticate properly.


  • Rebel Alliance Developer Netgate

    That is a little odd, but the real problem is that you are mixing security levels on the same VPN.

    If you need to securely isolate someone, they should not be on the same VPN with anyone else with higher access. Setup a second VPN with a completely different CA structure, TLS key, tunnel network, etc, and then firewall it off that way.

    Using ccd-excluside can help, as kpa said, but then you must define an override for every user.

    Alternately, use the reverse tactic. Give users with access to more things special override settings to do that, and let the default be the insecure settings. I wouldn't do that, though, I'd still go for the second VPN for restricted access.



  • Well, no i have over 40 Users and every user have different access levels … i couldn't be the solution creating for every User a own VPN.

    Passing the space at the end of the Username is still a bug, and only that bug is causing that Problem.

    @kpa: Nice idea - will try that Workaround tomorrow. Thanks.



  • A file called "DEFAULT" with "disable" on one line in OpenVPN`s ccd directory as a workaround ?

    See "–client-config-dir dir" and "--disable" in manul 2.4:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    Also, first report this on OpenVPN forum ?
    https://forums.openvpn.net
    and/or the mailing list:
    https://sourceforge.net/projects/openvpn/lists/openvpn-users



  • Morning,

    so i restarted this morning the OpenVPN with "ccd-exclusive" under custom Options. And yes that solves the Security Issue.

    @jimp: As i have many different users access, i have an Override per every user. That's why i said i am not mixing levels - the Security Issue without ccd-exclusive is, that you can gain access of other users with that "space" trick.

    I have yesterday also send a complete Security Exploit Description to pfSense Security Team.

    Thanks all for the help.

    Regards Mario


  • Rebel Alliance Developer Netgate

    I just tried this myself and putting a space after the username fails authentication with local users and RADIUS users, but can be accepted by an LDAP server.

    Are you using an external authentication server? Your problem may be there, not with pfSense.

    Apr 6 08:43:33 	openvpn 		user 'jimp ' could not authenticate.
    Apr 6 08:43:33 	openvpn 	28014 	172.21.32.35 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
    Apr 6 08:43:33 	openvpn 	28014 	172.21.32.35 TLS Auth Error: Auth Username/Password verification failed for peer 
    

    I also verified the space was passed all the way through the authentication process. Nothing in our code strips it away that I can see.

    I see other similar complaints about LDAP servers and trailing spaces in filters around the Internet, but at least the references I can find lead back to it being a fact of life with how LDAP handles filters.

    I have tried numerous ways of escaping the space in the LDAP filter but each time the LDAP server ignores the trailing space when matching the user. The encoding was working properly because I was also testing a user with a space in the middle of the username and that worked when the space was encoded, but the trailing space was also allowed.

    I opened https://redmine.pfsense.org/issues/8439 to track it, but as far as I can tell so far it's the fault of LDAP server filter processing.

    You might want to lobby to OpenVPN and see if maybe they can add an option to strip extraneous whitespace from usernames, since it has to happen in OpenVPN for it to be caught early enough to matter.


  • Rebel Alliance Developer Netgate

    One more thing I thought of. If you use user certificates as well as user authentication, you could enable the option to enforce a match between the username and certificate common name.



  • Ummm I use Ms ad server 2012r2 ldap and adding space to end of username fails auth…


  • Rebel Alliance Developer Netgate

    Make sure you are trying that twice in a row, if you auth, then reconnect with another username, the server will always reject you as changing names.

    I didn't have an AD structure handy to test against but I did have OpenLDAP, and it ignores the trailing space as OP describes.



  • It fails every time.
    I can`t login with my username if it has trailing space.


  • Rebel Alliance Developer Netgate

    It's entirely possible that AD does the right thing and OpenLDAP-based systems fail that test.

    Strengthens the case that it's not a pfSense issue, but a problem on the authentication server.


Log in to reply