Page MenuHomeVyOS Platform

Unhandled exception in "show openconnect-server sessions"
Closed, ResolvedPublicBUG

Description

In certain circumstances the command

show openconnect-server sessions

fails with the following:

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/openconnect.py", line 70, in <module>
    res = vyos.opmode.run(sys.modules[__name__])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
    res = func(**args)
          ^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/openconnect.py", line 65, in show_sessions
    return _get_formatted_sessions(openconnect_data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/openconnect.py", line 45, in _get_formatted_sessions
    ses("Device"), ses["Username"], ses("IPv4"), ses["Remote IP"],
    ^^^^^^^^^^^^^
TypeError: 'dict' object is not callable

This behavior is easy to reproduce. Just go in the browser to the htpps URL of the openconnect server, let the browser to render the page, and then run the op mode command above inside your VyOS router.

The reason is because these incorrect HTTP-sessions do not contain valid variables expected in lines 45-46 of /usr/libexec/vyos/op_mode/openconnect.py, namely Device, IPv4 and some others. We discovered this during the DDOS attack on our frontend, A lot of http sessions were opened by bots, thus we observed this operational mode command behavior. Even without bots this issue is something that can easily happen because the frontend URL is open to any HTTP request, not only from the legitimate openconnect clients. This way, any external actor can effectively disable internal VyOS reporting function.

I would recommend to change the lines 45-46 of /usr/libexec/vyos/op_mode/openconnect.py from:

ses("Device"), ses["Username"], ses("IPv4"), ses["Remote IP"],
ses("_RX"), ses("_TX"), ses["State"], ses["_Connected at"]

to:

ses.get("Device","-"), ses["Username"], ses.get("IPv4","-"), ses["Remote IP"],
ses.get("_RX","-"), ses.get("_TX","-"), ses["State"], ses["_Connected at"]

to solve this problem.

Similar problem is mentioned T4596, though not identical.

Details

Version
1.4.0
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

pre-auth stage of the negotiation does not populate the Device, IPv4, _TX, and _RX values yet, that's why the command fails: the raw array doesn't contain these variables yet.

dmbaturin renamed this task from ocserv op mode needs improvement to Unhandled exception in "show openconnect-server sessions".Jul 15 2024, 6:31 AM
dmbaturin triaged this task as Normal priority.
dmbaturin edited a custom field.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
HollyGurza moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
HollyGurza moved this task from Open to Finished on the VyOS 1.5 Circinus board.