Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openvpn: CVE-2022-0547: authentication bypass in external authentication plug-ins

Related Vulnerabilities: CVE-2022-0547  

Source

Debian Bug report logs - #1008015
openvpn: CVE-2022-0547: authentication bypass in external authentication plug-ins

version graph

Package: openvpn; Maintainer for openvpn is Bernhard Schmidt <berni@debian.org>; Source for openvpn is src:openvpn (PTS, buildd, popcon).

Reported by: Markus Koschany <apo@debian.org>

Date: Sun, 20 Mar 2022 15:00:01 UTC

Severity: grave

Tags: security, upstream

Found in versions openvpn/2.5.1-3, openvpn/2.5.5-1

Fixed in version openvpn/2.5.6-1

Done: Bernhard Schmidt <berni@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bernhard Schmidt <berni@debian.org>:
Bug#1008015; Package openvpn. (Sun, 20 Mar 2022 15:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Bernhard Schmidt <berni@debian.org>. (Sun, 20 Mar 2022 15:00:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: submit <submit@bugs.debian.org>
Subject: openvpn: CVE-2022-0547: authentication bypass in external authentication plug-ins
Date: Sun, 20 Mar 2022 15:57:36 +0100
[Message part 1 (text/plain, inline)]
Package: openvpn
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for openvpn.

CVE-2022-0547[0]:
| OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass
| in external authentication plug-ins when more than one of them makes
| use of deferred authentication replies, which allows an external user
| to be granted access with only partially correct credentials.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-0547
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547

Please adjust the affected versions in the BTS as needed.

Regards,

Markus


[signature.asc (application/pgp-signature, inline)]

Marked as found in versions openvpn/2.5.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 20 Mar 2022 15:09:03 GMT) (full text, mbox, link).

Marked as found in versions openvpn/2.5.1-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 20 Mar 2022 15:09:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 20 Mar 2022 15:09:03 GMT) (full text, mbox, link).

Reply sent to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility. (Sun, 20 Mar 2022 21:39:05 GMT) (full text, mbox, link).

Notification sent to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer. (Sun, 20 Mar 2022 21:39:05 GMT) (full text, mbox, link).

Message #16 received at 1008015-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1008015-close@bugs.debian.org
Subject: Bug#1008015: fixed in openvpn 2.5.6-1
Date: Sun, 20 Mar 2022 21:09:03 +0000
Source: openvpn
Source-Version: 2.5.6-1
Done: Bernhard Schmidt <berni@debian.org>

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1008015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 20 Mar 2022 21:42:05 +0100
Source: openvpn
Architecture: source
Version: 2.5.6-1
Distribution: unstable
Urgency: high
Maintainer: Bernhard Schmidt <berni@debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 1008015
Changes:
 openvpn (2.5.6-1) unstable; urgency=high
 .
   * New upstream version 2.5.6
     CVE-2022-0547 - Potential authentication by-pass with multiple deferred
     authentication plug-ins plug-ins (Closes: #1008015)
Checksums-Sha1:
 5d9b2a652eb4ad874b6e9d1ef306eace6f9c3f54 2147 openvpn_2.5.6-1.dsc
 c541571e96875427c2615e16ebab496e74bbbb0d 1853186 openvpn_2.5.6.orig.tar.gz
 ee502279e6851dd08cf9da78f8c35fd6ab787ce2 58908 openvpn_2.5.6-1.debian.tar.xz
 9bb8d5fd24893839cc15d3c4b3cca59b86a0b80e 7704 openvpn_2.5.6-1_amd64.buildinfo
Checksums-Sha256:
 d74cb0f1c5f485b404ddb31067b8d3116504f4a1fef5d8f784b1ad1a6e89e1a2 2147 openvpn_2.5.6-1.dsc
 333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c53242ad3d 1853186 openvpn_2.5.6.orig.tar.gz
 38563c7b8fe5ac3f8d3cdc4fe7883dd79586b498fa6c48505751fb73c547808b 58908 openvpn_2.5.6-1.debian.tar.xz
 5d64b8239ecac9cb1108f065d90c80f4b61cf90ea3a330132b7ec721676b436f 7704 openvpn_2.5.6-1_amd64.buildinfo
Files:
 8e7d239df28b5922fc7a09d4773c3b81 2147 net optional openvpn_2.5.6-1.dsc
 434f02d3b371bf1dcd1e618e56969a4c 1853186 net optional openvpn_2.5.6.orig.tar.gz
 7651359cdb86675a933c464b38f188dd 58908 net optional openvpn_2.5.6-1.debian.tar.xz
 dc5642b7536b627ebca67bdb1564d3e6 7704 net optional openvpn_2.5.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmI3kz0RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNOEA//ehLjmjWFtCYbGiLsuU9B41Sv0kfHyEOw
AoZu2EUfKGDm4R/uCN/PPNUqR94LnYazMJ7ys44q1kn7Z4EhbTvOfKLqZwWLGOFb
FHbPqSbNF527G2IOHx0+M7M7Cny1wvwtIc8NJOjEPMYr+XhAmb0hu8f0+tK4hSOa
97Bq652RgYgPTgxzOcpUKsiH/A1S1sQ7Tr4ocNxQLPVnP81XtUU+jME7igBMaBtb
qeag/WGBsaVBxzOGBYuLNMrvjzq4S4eDwpwKdW5xrmLwOwxnOfpXDLwsWBvSGSJk
z6Qnr+hXwfBUTfmmnINDwU/4y6kObkloZsdFlqrdarOBwJhT6Ef5mQoR2z6LfyTZ
RCR4Q8wgu/6dz0exjyLkhNEZE6qbQ7N/20ojnZnX2E2QQPMGupQ6WmOqad4YAuPM
NgyES0ooBEbEcGx7JBmaPxmTJE2v3MNcnr+YhyiYZbAGbgpPQYROZZzwwj1tojS7
IrUAIjI8t0G78+SJsUKKoQjLn74eAdYv59oi53DsAthc1s1uUzWdzg1I0ru7Vr2r
nXPQRcFtXJz8UYMY6N6EExgdvr8Covgx4/yqTAbjgqjkNRNp8f9Gyppf+N97CGrz
9vtRgMvdKF/hudZBi+q/ELX6xaD2NkRUo+ySvYMTfYQhb5KSX9tXLD+J7vAaP+LH
b757CPoUNl0=
=7uxg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Mar 21 13:09:02 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started