[eduVPN-deploy] Details Security Issue 2021-08-25

François Kooman fkooman at tuxed.net
Wed Sep 1 16:21:01 CEST 2021 

Hi all,

On August 25, 2021 we were made aware of a security issue in the eduVPN 
/ Let's Connect! server by Nick Aquina, an eduVPN for Android 
application contributor. All servers we are aware of were updated in the 
last days.

** Vulnerability **

The vulnerability was a classic "input validation" issue. We did not 
verify user input. Due to this problem, the potential for a 
vulnerability was always there, but it became exploitable after an 
update to one of the tools we depend on for generating QR codes. These 
QR codes are used for two-factor enrollment.

The server software was VULNERABLE on Debian 10, Debian 11 and Fedora. 
The server software was NOT vulnerable on Debian 9 and CentOS 7.

The vulnerability was first introduced in vpn-user-portal 2.3.2 released 
on 2020-07-27.

** Scope **

The attack could have been executed by anyone able to login to the VPN 
portal. This typically means all your users.

** Fix **

The vulnerability was fixed in vpn-user-portal 2.3.14 released on 
2021-08-26.

** Description **

The vulnerability became exploitable because of an unfortunate number of 
circumstances:

1. We did not perform adequate input validation on the potentially user 
provided data to generate a QR codes;
2. We use "exec" to run a binary on the system which is risky, 
especially when using user input;
3. The qrencode binary in distributions got updated and introduced a 
"read from file" parameter that did not previously exist;
4. We enabled the QR module _even_ when two factor authentication was 
not enabled.

We did not perform input validation for the QR code generation as it 
seemed not that important at the time and the "Key URI format" [1] was 
quite complicated to validate correctly. Of course, it was a mistake not 
to do that anyway.

The reason we used "exec" to run an executable (2) was that it was much 
faster and we could use a binary already available on all operating 
systems we support [2] and thus remove a few PHP dependencies.

The qrencode tool as mentioned in (3) got the new flag `-r` in version 
4.0.0. Because CentOS 7 [3] and Debian 9 [4] never had/got this version 
I didn't notice the `-r` flag when reviewing the man-page.

Reason (4) was another oversight: we enabled code that was not used 
which is better to avoid. It would have reduced impact substantially.

** Implemented Fixes **

In the current production release we solved (4) by only enabling it when 
two factor authentication is enabled. This reduces the potential attack 
surface. Furthermore, we only allow the TOTP secret to be specified. It 
can be strictly validated as it only uses the Base32 alphabet. This 
solves (1). It is still not the perfect solution. In the next (major) 
release of eduVPN/Let's Connect! we'll avoid exposing a "QR endpoint" 
altogether and directly embed the QR code. Another fix already 
implemented is a strict requirement in the code to always specify a 
validation function when using external input, that will prevent 
"forgetting" to validate input.

** Exploitation **

We did NOT see or hear any indication of exploitation in the field. 
However, you can verify your web server log files and check for 
occurrences of requests to "/qr?qr_text" that look suspicious and e.g. 
point to a file with the "-r" flag. You can check the log files in 
/var/log/apache2 (Debian) or /var/log/httpd (Fedora). If you find 
something, or are not sure, please let us know!

** Recovery **

In case you want to "reset" your server, you can do that, but make sure 
you first install the updates. Note that all users will have to login 
again using the eduVPN/Let's Connect! apps and/or download a new 
configuration file from the portal as ALL data (including local user 
accounts), but no configuration, pertaining to the VPN server will be 
deleted. For single server VPNs:

     $ sudo vpn-maint-reset-system

** Final Thoughts **

It took a few days to get servers updated, which in the end is not so 
bad. We did have to contact some server operators a few times in order 
to get them to update their servers. It is not exactly sure how to 
improve this process. However, it could have been a lot worse...

Let us know if you have any questions!

Regards,
François

[1] https://github.com/google/google-authenticator/wiki/Key-Uri-Format
[2] https://github.com/Bacon/BaconQrCode/issues/70
[3] https://git.centos.org/rpms/qrencode/blob/c7/f/SPECS/qrencode.spec
[4] https://packages.debian.org/stretch/qrencode

More information about the eduVPN-deploy mailing list