Version 3 (modified by Gert Döring, 7 months ago) (diff)


CVE-2022-0547: Potential authentication by-pass with multiple deferred authentication plug-ins

OpenVPN 2.1 up to v2.4.11 and v2.5.5 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

This issue is resolved in OpenVPN 2.4.12 and v2.5.6 where the OpenVPN server process will stop running with the following error message in the logs:

Exiting due to multiple authentication plug-ins performing deferred authentication.  Only one authentication plug-in doing deferred auth is allowed.  Ignoring the result and stopping now, the current authentication result is not to be trusted.