Ubuntu
network-manager package

network-manager-openvpn leaks DNS information on Ubuntu 18.04

Bug #1796648 reported by Gijs Molenaar
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

By default when adding a VPN configuration on Ubuntu 18.04 the DNS configuration supplied by DHCP is not used, resulting in DNS leakage.

How to reproduce:

* Add VPN configuration, for example, import a ovpn file
* activate
* Check for DNS leakage at for example https://www.dnsleaktest.com/

This has been reported at various locations:

https://github.com/systemd/systemd/issues/7182
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1690860
https://github.com/eduvpn/python-eduvpn-client/issues/160

The issue has been solved since network-manage-open version 1.12.0:

https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10

This version or a more recent version is part of Ubuntu 18.10 which doesn't have this issue.

A workaround is to run:

$ systemd-resolve -i tun2 --set-domain=~.

where tun2 is your VPN interface.

We think this is a security issue and at least a backport of network-manage-open > 1.12.0 should be uploaded to the archive.

greetings,

 - Gijs

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager 1.10.6-2ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 8 11:19:00 2018
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2018-06-06 (123 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
IpRoute:
 default via 192.168.178.1 dev enp6s0 proto dhcp metric 100
 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown
 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
 192.168.178.0/24 dev enp6s0 proto kernel scope link src 192.168.178.61 metric 100
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
RfKill:

SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-nm:
 RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN
 running 1.10.6 connected started full enabled enabled enabled enabled enabled

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :
Gijs Molenaar (gijzelaar)
affects: network-manager (Ubuntu) → network-manager-openvpn (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the report Gijs,

This seems to be a recurring problem, or perhaps one that's just difficult to completely solve.

The bug you referenced:
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10
includes a mention of this fix:
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d9782589248e61c0cb5aec90e3eb62612891116b

Previously filed bugs that may provide some further context or information:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1652525
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1634689
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1685391
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1672491
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671

Thanks

information type: Private Security → Public Security
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The suggested fix is quite a lot of code churn; I don't know if the security process or SRU process would be more appropriate for this much change. Thoughts?

Thanks

Revision history for this message
Sebastien Bacher (seb128) wrote :

The issue is the same than bug #1754671 right?

@Seth, security pocket or not would depends of how much the security team consider of an important security problem...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Sebastien, it certainly does look like 1754671. Thanks

fessmage (fessmage)
no longer affects: network-manager-openvpn
Revision history for this message
fessmage (fessmage) wrote :

There are mistypes in head message and title - it is not network-manager-openvpn leak dns, but network-manager itself. And version with fix - network-manager 1.12. I hope fix will be backported to 1.10 for Ubuntu 18.04 (https://bugzilla.gnome.org/show_bug.cgi?id=746422#c56)

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :

Yes a backport would be great.

Mathew Hodson (mhodson)
affects: network-manager-openvpn (Ubuntu) → network-manager (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.