= CVE-2020-15078 = == Overview == OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. == Detailed description == This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. == Fixed OpenVPN versions == This vulnerability has been fixed in * release/2.5 * Commit f7b3bf067ffce72e7de49a4174fd17a3a83f0573 * Commit 3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a * Commit 3aca477a1b58714754fea3a26d0892fffc51db6b * release/2.4 * Commit 0e5516a9d656ce86f7fb370c824344ea1760c255 Releases with the fix are: * OpenVPN 2.5.2 * OpenVPN 2.4.11 == Recommendations == If you are not using one of auth-gen-token, plugin, or management in your config, you are safe. In doubt, upgrade. If you know you're using deferred-auth, upgrade.