Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785115 (CVE-2020-15078) - <net-vpn/openvpn-2.5.2: Authentication bypass with deferred authentication (CVE-2020-15078)
Summary: <net-vpn/openvpn-2.5.2: Authentication bypass with deferred authentication (C...
Status: RESOLVED FIXED
Alias: CVE-2020-15078
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+ cve]
Keywords: CC-ARCHES, STABLEREQ
: 786423 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-22 21:06 UTC by Sam James
Modified: 2021-05-26 09:51 UTC (History)
4 users (show)

See Also:
Package list:
net-vpn/openvpn-2.5.2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-04-22 21:06:55 UTC
This affects both 2.4.x and 2.5.x. Fixed versions are 2.4.11 and 2.5.2 respectively. Here's the snippet from the announcement: The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with --auth-gen-token or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
Comment 1 Sam James archtester gentoo-dev Security 2021-04-26 15:51:23 UTC
ping
Comment 2 Ionen Wolkens gentoo-dev 2021-04-28 12:30:47 UTC
*** Bug 786423 has been marked as a duplicate of this bug. ***
Comment 3 Antonio Quartulli 2021-04-29 07:46:06 UTC
Hi there, is there something I could do to help with this?

The vulnerability has a public CVE and its impact is non-negligible for servers.

For the future: is there something the openvpn developers can do to communicate *beforehand* that a release with a security fix is coming?
This way gentoo maintainers can be prepared.

I know other distros join a specific distribution list - but I am not sure if that's the case for gentoo.

Thanks!
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-04-30 15:26:30 UTC
I will contact you via email.
Comment 5 Larry the Git Cow gentoo-dev 2021-04-30 18:59:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0355870fe3eb0f5d105bca9404a21a34e5649256

commit 0355870fe3eb0f5d105bca9404a21a34e5649256
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 18:12:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 18:58:34 +0000

    net-vpn/openvpn: bump to v2.5.2
    
    Bug: https://bugs.gentoo.org/785115
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-vpn/openvpn/Manifest             |   1 +
 net-vpn/openvpn/openvpn-2.5.2.ebuild | 174 +++++++++++++++++++++++++++++++++++
 2 files changed, 175 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2021-05-01 14:06:36 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-01 14:07:29 UTC
x86 done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-01 17:12:51 UTC
ppc64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-01 17:13:02 UTC
ppc done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-01 17:14:11 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-04 19:14:03 UTC
arm done

all arches done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-04 19:14:19 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-05-24 01:19:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0f872033e85edb4868f76650fa205cd7d10bd07

commit a0f872033e85edb4868f76650fa205cd7d10bd07
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-24 01:16:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-24 01:19:18 +0000

    net-vpn/openvpn: security cleanup
    
    Bug: https://bugs.gentoo.org/785115
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-vpn/openvpn/Manifest                |   3 -
 net-vpn/openvpn/openvpn-2.4.9.ebuild    | 170 -------------------------------
 net-vpn/openvpn/openvpn-2.5.0-r1.ebuild | 169 -------------------------------
 net-vpn/openvpn/openvpn-2.5.1-r1.ebuild | 171 --------------------------------
 4 files changed, 513 deletions(-)
Comment 14 Thomas Deutschmann gentoo-dev Security 2021-05-24 01:20:49 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:51:43 UTC
This issue was resolved and addressed in
 GLSA 202105-25 at https://security.gentoo.org/glsa/202105-25
by GLSA coordinator Thomas Deutschmann (whissi).