OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Detailed description

This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.

In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.

Fixed OpenVPN versions

This vulnerability has been fixed in

Releases with the fix are:

  • OpenVPN 2.5.2
  • OpenVPN 2.4.11


If you are not using one of auth-gen-token, plugin, or management in your config, you are safe. In doubt, upgrade. If you know you're using deferred-auth, upgrade.

Last modified 3 years ago Last modified on 04/21/21 12:53:34