Version 7 (modified by 3 years ago) (diff) | ,
---|
CVE-2020-15078
Overview
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
Detailed description
This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.
In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
Fixed OpenVPN versions
This vulnerability has been fixed in
- Commit f7b3bf067ffce72e7de49a4174fd17a3a83f0573 (release/2.5)
- Commit 3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a (release/2.5)
- Commit 3aca477a1b58714754fea3a26d0892fffc51db6b (release/2.5)
- Commit 0e5516a9d656ce86f7fb370c824344ea1760c255 (release/2.4)
Releases with the fix are:
- OpenVPN 2.5.2
- OpenVPN 2.4.11
Recommendations
We recommend upgrading to a fixed version.