network-manager-openvpn leaks DNS information on Ubuntu 18.04

Bug #1796648 reported by Gijs Molenaar
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Undecided
Unassigned

Bug Description

By default when adding a VPN configuration on Ubuntu 18.04 the DNS configuration supplied by DHCP is not used, resulting in DNS leakage.

How to reproduce:

* Add VPN configuration, for example, import a ovpn file
* activate
* Check for DNS leakage at for example https://www.dnsleaktest.com/

This has been reported at various locations:

https://github.com/systemd/systemd/issues/7182
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1690860
https://github.com/eduvpn/python-eduvpn-client/issues/160

The issue has been solved since network-manage-open version 1.12.0:

https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10

This version or a more recent version is part of Ubuntu 18.10 which doesn't have this issue.

A workaround is to run:

$ systemd-resolve -i tun2 --set-domain=~.

where tun2 is your VPN interface.

We think this is a security issue and at least a backport of network-manage-open > 1.12.0 should be uploaded to the archive.

greetings,

 - Gijs

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager 1.10.6-2ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 8 11:19:00 2018
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2018-06-06 (123 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
IpRoute:
 default via 192.168.178.1 dev enp6s0 proto dhcp metric 100
 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown
 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
 192.168.178.0/24 dev enp6s0 proto kernel scope link src 192.168.178.61 metric 100
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
RfKill:

SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-nm:
 RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN
 running 1.10.6 connected started full enabled enabled enabled enabled enabled

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :
affects: network-manager (Ubuntu) → network-manager-openvpn (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :
information type: Private Security → Public Security
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The suggested fix is quite a lot of code churn; I don't know if the security process or SRU process would be more appropriate for this much change. Thoughts?

Thanks

Revision history for this message
Sebastien Bacher (seb128) wrote :

The issue is the same than bug #1754671 right?

@Seth, security pocket or not would depends of how much the security team consider of an important security problem...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Sebastien, it certainly does look like 1754671. Thanks

fessmage (fessmage)
no longer affects: network-manager-openvpn
Revision history for this message
fessmage (fessmage) wrote :

There are mistypes in head message and title - it is not network-manager-openvpn leak dns, but network-manager itself. And version with fix - network-manager 1.12. I hope fix will be backported to 1.10 for Ubuntu 18.04 (https://bugzilla.gnome.org/show_bug.cgi?id=746422#c56)

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :

Yes a backport would be great.

Mathew Hodson (mhodson)
affects: network-manager-openvpn (Ubuntu) → network-manager (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers