Bug 341387

Summary: KDE 4 Network Management created OpenVPN connections vulnerable to MITM attack
Product: [Unmaintained] Network Management Reporter: Richard Yao <ryao>
Component: OpenVPNAssignee: Lamarque V. Souza <lamarque>
Status: RESOLVED FIXED    
Severity: grave CC: jgrulich, kdebugs
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: All   
Latest Commit: http://commits.kde.org/networkmanagement/918786c28f7657ad8deff084ae44a257a7d471f6 Version Fixed/Implemented In: 0.9.0.12
Sentry Crash Report:

Description Richard Yao 2014-11-29 03:08:45 UTC 
KDE's network manager plasmoid does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this at start:

Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

This has been an issue for years. I initially only filed a bug against plasma-nm was filed under the incorrect assumption that the network manager plasmoid had been retired:

https://bugs.kde.org/show_bug.cgi?id=341070

To my great delight (as I prefer the network manager plasmoid on my laptop), I have since realized that I had been wrong, so I am filing this bug.
Comment 1 Lamarque V. Souza 2014-11-29 10:52:24 UTC 
Git commit 918786c28f7657ad8deff084ae44a257a7d471f6 by Lamarque V. Souza.
Committed on 29/11/2014 at 10:50.
Pushed by lvsouza into branch 'nm09'.

OpenVPN: Add option for server certificate verification

FIXED-IN: 0.9.0.12

M  +1    -1    plasma_nm_version.h
M  +1    -0    vpnplugins/openvpn/nm-openvpn-service.h
M  +52   -15   vpnplugins/openvpn/openvpnprop.ui
M  +14   -0    vpnplugins/openvpn/openvpnwidget.cpp

http://commits.kde.org/networkmanagement/918786c28f7657ad8deff084ae44a257a7d471f6
Comment 2 Richard Yao 2014-12-01 10:21:58 UTC 
I cited the wrong bug above. The correct link is:

https://bugs.kde.org/show_bug.cgi?id=341069

Thanks once again for the prompt fix.
Comment 3 kdebugs 2016-04-23 19:55:30 UTC 
What happened to the commit?  Git shows the files unchanged.  Please Reopen and fix.