CVE-2020-15078 log

Severity Medium
Remote Yes
Type Authentication bypass
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.

In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. If you are not using one of auth-gen-token, plugin, or management in your config, you are safe.

The issue is fixed in OpenVPN version 2.5.2.
Group Package Affected Fixed Severity Status Ticket
AVG-1861 openvpn 2.5.1-1 2.5.2-1 Medium Fixed