-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] SoftEther linux client/server has executable stack by default #1959
Comments
sorry, somehow you've chosen wrong route. in this issue tracker we discuss SoftEtherVPN Developer Edition, which is versioned 5.x while your concern totally make sense, it should be addressed either to debian packaging or SE Stable Edition itself. if they guide you to this tracker, please ask them to point you to right direction instead |
@chipitsine, where can I find more information about SE editions? Where can we obtain a roadmap for coming versions? Will new features or fixes be back-ported from DE to SE? |
|
Prerequisites
SoftEther version: softether-vpnclient-v4.43-9799-beta-2023.08.31-linux-x64-64bit and softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit
Component: [Server, Client]
Operating system: [Linux (Linux laptop 6.1.0-18-amd64, Debian 6.1.76-1 (2024-02-01) x86_64)]
Architecture: [64 bit]
Processor: [Intel(R) Core(TM) i5-8265U CPU @ 1.60GHz]
Description
The binary executable
vpnclient
has excutable stack. This is very very dangerous.I discovered this problem when I am viewing
dmesg
output. There is a log saying:I used
execstack
(If you can't install it with apt, you can download deb package at https://packages.debian.org/buster/amd64/execstack/download) to verify thatvpnclient
uses executable stack, and the result is that it uses it:nictheboy@laptop:~$ execstack /usr/share/vpnclient/vpnclient X /usr/share/vpnclient/vpnclient
According to manpage,
execstack
prints either - when executable stack is not required, X when executable stack is required or ? when it is unknown whether the object requires or doesn't require executable stack (the marking is missing). The 'X' in output marks thatvpnclient
uses an executable stack.I used
execstack
to cleared the executable stack flag, and I found thatvpnclient
works very well till now, so I guess it's unnecessary to use executable stack.The situation of
vpnserver
is the same.How to fix
According to here, we can add '-z noexecstack' to gcc compile options. Adding '-z noexecstack' to 'OPTIONS' in Makefile solves the problem on my PC.
Although this is not a vulnerability, it makes it much easier to exploit a vulnerability. Considering
vpnserver
andvpnclient
is often used as network daemon on servers, security issues need to be considered seriously.The text was updated successfully, but these errors were encountered: