QID 375867

Date Published: 2021-09-20

QID 375867: Open Virtual Private Network (OpenVPN) Access Server Multiple Security Vulnerabilities

OpenVPN Access Server is a full featured SSL VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, and Linux, mobile OS (Android and iOS) environments.

CVE-2020-15077: OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
CVE-2020-36382: OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.

Affected Versions:
OpenVPN-AS Version prior to 2.8.8

QID Detection Logic:(Authenticated)
The QID checks for vulnerable version of OpenVPN Access server by checking its version file on linux systems.

Successful exploitation of these vulnerabilities may allow remote attackers to steal sensitive information or cause Denial of Service.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 3.5 severity.
    • Solution
    Customers are advised to upgrade to latest available versions ofOpenVpn Access Server
    Vendor References

    CVEs related to QID 375867

    CVE-2020-15077 | CVE-2020-36382 |
    Software Advisories
    Advisory ID Software Component Link
    OpenVPN Security Advisory URL Logo openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].