[security] SoftEther linux client/server has executable stack by default

[Nictheboy]

Prerequisites

• Can you reproduce?
• Are you running the latest version of SoftEtherVPN?

SoftEther version: softether-vpnclient-v4.43-9799-beta-2023.08.31-linux-x64-64bit and softether-vpnserver-v4.43-9799-beta-2023.08.31-linux-x64-64bit
Component: [Server, Client]
Operating system: [Linux (Linux laptop 6.1.0-18-amd64, Debian 6.1.76-1 (2024-02-01) x86_64)]
Architecture: [64 bit]
Processor: [Intel(R) Core(TM) i5-8265U CPU @ 1.60GHz]

Description

The binary executable vpnclient has excutable stack. This is very very dangerous.

I discovered this problem when I am viewing dmesg output. There is a log saying:

[   10.438829] process 'usr/share/vpnclient/vpnclient' started with executable stack

I used execstack (If you can't install it with apt, you can download deb package at https://packages.debian.org/buster/amd64/execstack/download) to verify that vpnclient uses executable stack, and the result is that it uses it:

nictheboy@laptop:~$ execstack /usr/share/vpnclient/vpnclient 
X /usr/share/vpnclient/vpnclient

According to manpage, execstack prints either - when executable stack is not required, X when executable stack is required or ? when it is unknown whether the object requires or doesn't require executable stack (the marking is missing). The 'X' in output marks that vpnclient uses an executable stack.

I used execstack to cleared the executable stack flag, and I found that vpnclient works very well till now, so I guess it's unnecessary to use executable stack.

nictheboy@laptop:~$ execstack -c /usr/share/vpnclient/vpnclient
nictheboy@laptop:~$ execstack -q /usr/share/vpnclient/vpnclient
- /usr/share/vpnclient/vpnclient

The situation of vpnserver is the same.

How to fix

According to here, we can add '-z noexecstack' to gcc compile options. Adding '-z noexecstack' to 'OPTIONS' in Makefile solves the problem on my PC.

Although this is not a vulnerability, it makes it much easier to exploit a vulnerability. Considering vpnserver and vpnclient is often used as network daemon on servers, security issues need to be considered seriously.

[chipitsine]

sorry, somehow you've chosen wrong route.

in this issue tracker we discuss SoftEtherVPN Developer Edition, which is versioned 5.x
4.x is for SoftEtherVPN Stable Edition

while your concern totally make sense, it should be addressed either to debian packaging or SE Stable Edition itself.

if they guide you to this tracker, please ask them to point you to right direction instead

[HectorB-2020]

in this issue tracker we discuss SoftEtherVPN Developer Edition, which is versioned 5.x
4.x is for SoftEtherVPN Stable Edition

@chipitsine, where can I find more information about SE editions? Where can we obtain a roadmap for coming versions? Will new features or fixes be back-ported from DE to SE?
I admit I've dared building 5.x and discovered different resulting files.

[officialh1]

in this issue tracker we discuss SoftEtherVPN Developer Edition, which is versioned 5.x
4.x is for SoftEtherVPN Stable Edition

@chipitsine, where can I find more information about SE editions? Where can we obtain a roadmap for coming versions? Will new features or fixes be back-ported from DE to SE? I admit I've dared building 5.x and discovered different resulting files.

www.vpnusers.com