= CVE-2020-15078 =

== Overview ==

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

== Detailed description ==

Under very specific circumstances it is possible to allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.

== Fixed OpenVPN versions ==

This vulnerability has been fixed in

* release/2.5 branch (commits f7b3bf06, 3d18e308c4 and 3aca477a1b5)
* release/2.4 branch (commit 0e5516a9)

Releases with the fix are:

* OpenVPN 2.5.2
* OpenVPN 2.4.11 

== Recommendations ==

We recommend upgrading to a fixed version.