Debian Bug report logs -
#987380
CVE-2020-15078: Authentication bypass with deferred authentication
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#987380; Package src:openvpn.
(Thu, 22 Apr 2021 20:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Thu, 22 Apr 2021 20:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openvpn
Severity: important
Tags: security
Forwarded: https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Overview
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass
authentication and access control channel data on servers configured with
deferred authentication, which can be used to potentially trigger further
information leaks.
Detailed description
This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
In combination with "--auth-gen-token" or a user-specific token auth solution
it can be possible to get access to a VPN with an otherwise-invalid account.
Fixed OpenVPN versions
This vulnerability has been fixed in
release/2.5
Commit f7b3bf067ffce72e7de49a4174fd17a3a83f0573
Commit 3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a
Commit 3aca477a1b58714754fea3a26d0892fffc51db6b
release/2.4
Commit 0e5516a9d656ce86f7fb370c824344ea1760c255
Releases with the fix are:
OpenVPN 2.5.2
OpenVPN 2.4.11
Recommendations
If you are not using one of auth-gen-token, plugin, or management in your
config, you are safe. In doubt, upgrade. If you know you're using
deferred-auth, upgrade.
Marked as found in versions openvpn/2.5.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 23 Apr 2021 04:51:03 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 23 Apr 2021 04:51:05 GMT) (full text, mbox, link).
Marked as found in versions openvpn/2.4.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 23 Apr 2021 04:51:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 23 08:07:51 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon