Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 785115 (CVE-2020-15078)

Summary: <net-vpn/openvpn-2.5.2: Authentication bypass with deferred authentication (CVE-2020-15078)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: a, alexander, chutzpah, williamh
Priority: Normal Keywords: CC-ARCHES, STABLEREQ
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+ cve]
Package list:
net-vpn/openvpn-2.5.2
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-22 21:06:55 UTC 
This affects both 2.4.x and 2.5.x. Fixed versions are 2.4.11 and 2.5.2 respectively. Here's the snippet from the announcement: The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with --auth-gen-token or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 15:51:23 UTC 
ping
Comment 2 Ionen Wolkens gentoo-dev 2021-04-28 12:30:47 UTC 
*** Bug 786423 has been marked as a duplicate of this bug. ***
Comment 3 Antonio Quartulli 2021-04-29 07:46:06 UTC 
Hi there, is there something I could do to help with this?

The vulnerability has a public CVE and its impact is non-negligible for servers.

For the future: is there something the openvpn developers can do to communicate *beforehand* that a release with a security fix is coming?
This way gentoo maintainers can be prepared.

I know other distros join a specific distribution list - but I am not sure if that's the case for gentoo.

Thanks!
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-30 15:26:30 UTC 
I will contact you via email.
Comment 5 Larry the Git Cow gentoo-dev 2021-04-30 18:59:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0355870fe3eb0f5d105bca9404a21a34e5649256

commit 0355870fe3eb0f5d105bca9404a21a34e5649256
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 18:12:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 18:58:34 +0000

    net-vpn/openvpn: bump to v2.5.2
    
    Bug: https://bugs.gentoo.org/785115
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-vpn/openvpn/Manifest             |   1 +
 net-vpn/openvpn/openvpn-2.5.2.ebuild | 174 +++++++++++++++++++++++++++++++++++
 2 files changed, 175 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 14:06:36 UTC 
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 14:07:29 UTC 
x86 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 17:12:51 UTC 
ppc64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 17:13:02 UTC 
ppc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 17:14:11 UTC 
amd64 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 19:14:03 UTC 
arm done

all arches done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 19:14:19 UTC 
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-05-24 01:19:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0f872033e85edb4868f76650fa205cd7d10bd07

commit a0f872033e85edb4868f76650fa205cd7d10bd07
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-24 01:16:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-24 01:19:18 +0000

    net-vpn/openvpn: security cleanup
    
    Bug: https://bugs.gentoo.org/785115
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-vpn/openvpn/Manifest                |   3 -
 net-vpn/openvpn/openvpn-2.4.9.ebuild    | 170 -------------------------------
 net-vpn/openvpn/openvpn-2.5.0-r1.ebuild | 169 -------------------------------
 net-vpn/openvpn/openvpn-2.5.1-r1.ebuild | 171 --------------------------------
 4 files changed, 513 deletions(-)
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 01:20:49 UTC 
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:51:43 UTC 
This issue was resolved and addressed in
 GLSA 202105-25 at https://security.gentoo.org/glsa/202105-25
by GLSA coordinator Thomas Deutschmann (whissi).