CVE-2020-15078

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Affected Software

References

• https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
• https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
• https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
• https://security.gentoo.org/glsa/202105-25
• https://usn.ubuntu.com/usn/usn-4933-1
• https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
• https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
• https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
• https://security.gentoo.org/glsa/202105-25
• https://usn.ubuntu.com/usn/usn-4933-1