Source: openvpn
Severity: important
Tags: security
Forwarded: https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Overview
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass
authentication and access control channel data on servers configured with
deferred authentication, which can be used to potentially trigger further
information leaks.
Detailed description
This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
In combination with "--auth-gen-token" or a user-specific token auth solution
it can be possible to get access to a VPN with an otherwise-invalid account.
Fixed OpenVPN versions
This vulnerability has been fixed in
release/2.5
Commit f7b3bf067ffce72e7de49a4174fd17a3a83f0573
Commit 3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a
Commit 3aca477a1b58714754fea3a26d0892fffc51db6b
release/2.4
Commit 0e5516a9d656ce86f7fb370c824344ea1760c255
Releases with the fix are:
OpenVPN 2.5.2
OpenVPN 2.4.11
Recommendations
If you are not using one of auth-gen-token, plugin, or management in your
config, you are safe. In doubt, upgrade. If you know you're using
deferred-auth, upgrade.
