An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2992 advisory.

  - OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability     when key-method 1 is used, possibly resulting in code execution. (CVE-2017-12166)

  - An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2     (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives     before the data channel crypto parameters have been initialized, the victim's connection will be dropped.
    This requires careful timing due to the small time window (usually within a few seconds) between the     victim client connection starting and the server PUSH_REPLY response back to the client. This attack will     only work if Negotiable Cipher Parameters (NCP) is in use. (CVE-2020-11810)

  - OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control     channel data on servers configured with deferred authentication, which can be used to potentially trigger     further information leaks. (CVE-2020-15078)

  - OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins     when more than one of them makes use of deferred authentication replies, which allows an external user to     be granted access with only partially correct credentials. (CVE-2022-0547)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for openvpn fixes the following issues :

  - CVE-2020-15078: Fixed authentication bypass with     deferred authentication (bsc#1185279).

  - CVE-2020-11810: Fixed race condition between allocating     peer-id and initializing data channel key (bsc#1169925).

  - CVE-2018-7544: Fixed cross-protocol scripting issue that     was discovered in the management interface     (bsc#1085803).

This update was imported from the SUSE:SLE-15:Update update project.

This update for openvpn fixes the following issues :

CVE-2020-15078: Fixed authentication bypass with deferred authentication (bsc#1185279).

CVE-2020-11810: Fixed race condition between allocating peer-id and initializing data channel key (bsc#1169925).

CVE-2018-7544: Fixed cross-protocol scripting issue that was discovered in the management interface (bsc#1085803).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4933-1 advisory.

  - An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2     (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives     before the data channel crypto parameters have been initialized, the victim's connection will be dropped.
    This requires careful timing due to the small time window (usually within a few seconds) between the     victim client connection starting and the server PUSH_REPLY response back to the client. This attack will     only work if Negotiable Cipher Parameters (NCP) is in use. (CVE-2020-11810)

  - OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control     channel data on servers configured with deferred authentication, which can be used to potentially trigger     further information leaks. (CVE-2020-15078)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This security issue is quite hard to abuse, requiring a fairly precise timing attack combined with guessing a just assigned peer-id reference. If successful, only a single client just initiating a new connection will experience a denial of service situation.(CVE-2020-11810)

Update to latest upstream OpenVPN 2.4.9 release. It contains a security fix for CVE-2020-11810.

This security issue is quite hard to abuse, requiring a fairly precise timing attack combined with guessing a just assigned peer-id reference. If successful, only a single client just initiating a new connection will experience a denial of service situation. This wi why the severity is rated low.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New openvpn packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.

Lev Stipakov and Gert Doering report :

There is a time frame between allocating peer-id and initializing data channel key (which is performed on receiving push request or on async push-reply) in which the existing peer-id float checks do not work right.

If a 'rogue' data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address.

The net effect of this behaviour is that the VPN session for the 'victim client' is broken. Since the 'attacker client' does not have suitable keys, it can not inject or steal VPN traffic from the other session. The time window is small and it can not be used to attack a specific client's session, unless some other way is found to make it disconnect and reconnect first.

ID	Name	Product	Family	Severity
160475	Debian DLA-2992-1 : openvpn - LTS security update	Nessus	Debian Local Security Checks	critical
149641	openSUSE Security Update : openvpn (openSUSE-2021-734)	Nessus	SuSE Local Security Checks	critical
149458	SUSE SLED15 / SLES15 Security Update : openvpn (SUSE-SU-2021:1577-1)	Nessus	SuSE Local Security Checks	critical
149252	Ubuntu 18.04 LTS / 20.04 LTS : OpenVPN vulnerabilities (USN-4933-1)	Nessus	Ubuntu Local Security Checks	high
139090	Amazon Linux AMI : openvpn (ALAS-2020-1410)	Nessus	Amazon Linux Local Security Checks	low
136297	Fedora 30 : openvpn (2020-969414e05b)	Nessus	Fedora Local Security Checks	low
136000	Fedora 31 : openvpn (2020-e56f2deb30)	Nessus	Fedora Local Security Checks	low
135717	Slackware 14.0 / 14.1 / 14.2 / current : openvpn (SSA:2020-107-01)	Nessus	Slackware Local Security Checks	low
135714	FreeBSD : openvpn -- illegal client float can break VPN session for other users (8604121c-7fc2-11ea-bcac-7781e90b0c8f)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2020-11810

low

Tenable Plugins

critical

critical

critical

high

low

low

low

low

low