Vulnerability Details : CVE-2020-15078
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
Exploit prediction scoring system (EPSS) score for CVE-2020-15078
Probability of exploitation activity in the next 30 days: 1.88%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-15078
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
nvd@nist.gov |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
nvd@nist.gov |
CWE ids for CVE-2020-15078
-
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Assigned by: security@openvpn.net (Secondary)
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15078
-
https://usn.ubuntu.com/usn/usn-4933-1
USN-4933-1: OpenVPN vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
[SECURITY] Fedora 33 Update: openvpn-2.4.11-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
Just a moment...Broken Link
-
https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
Just a moment...Patch;Vendor Advisory
-
https://security.gentoo.org/glsa/202105-25
OpenVPN: Authentication bypass (GLSA 202105-25) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
[SECURITY] Fedora 32 Update: openvpn-2.4.11-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
[SECURITY] [DLA 2992-1] openvpn security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
[SECURITY] Fedora 34 Update: openvpn-2.5.2-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Products affected by CVE-2020-15078
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*
- cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*