Bug 341069

Summary: plasma-nm created OpenVPN connections vulnerable to MITM attack
Product: [Unmaintained] Network Management Reporter: Richard Yao <ryao>
Component: OpenVPNAssignee: Lamarque V. Souza <lamarque>
Status: RESOLVED FIXED    
Severity: major CC: jgrulich
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: http://commits.kde.org/plasma-nm/f612d1d473805a273812aa9ea2f4c561e338d9a9 Version Fixed In:
Sentry Crash Report:

Description Richard Yao 2014-11-18 03:53:28 UTC 
plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this on each boot:

Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

This issue has been around for years and was present in plasma-nm's predecessor.
Comment 1 Richard Yao 2014-11-18 03:54:48 UTC 
By boot, I mean program invocation and that message is from dmesg.
Comment 2 Jan Grulich 2014-11-26 12:18:30 UTC 
Git commit 863851110191d0480375d6c86ba8082dae9ac950 by Jan Grulich.
Committed on 26/11/2014 at 12:18.
Pushed by grulich into branch 'master'.

OpenVPN: Add option for server certificate verification

M  +1    -0    vpn/openvpn/nm-openvpn-service.h
M  +191  -111  vpn/openvpn/openvpnadvanced.ui
M  +15   -0    vpn/openvpn/openvpnadvancedwidget.cpp

http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950
Comment 3 Jan Grulich 2014-11-26 12:48:26 UTC 
Git commit f612d1d473805a273812aa9ea2f4c561e338d9a9 by Jan Grulich.
Committed on 26/11/2014 at 12:48.
Pushed by grulich into branch '0.9.3'.

OpenVPN: Add option for server certificate verification

M  +1    -0    vpn/openvpn/nm-openvpn-service.h
M  +179  -96   vpn/openvpn/openvpnadvanced.ui
M  +14   -0    vpn/openvpn/openvpnadvancedwidget.cpp

http://commits.kde.org/plasma-nm/f612d1d473805a273812aa9ea2f4c561e338d9a9
Comment 4 Richard Yao 2014-11-29 02:53:45 UTC 
Thanks for the prompt fix.