CVE-2020-11810

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
openvpnopenvpn
2.4.0 ≤
𝑥
< 2.4.9
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openvpn
bookworm
2.6.3-1+deb12u2
fixed
bookworm (security)
2.6.3-1+deb12u2
fixed
bullseye
2.5.1-3
fixed
jessie
not-affected
sid
2.6.12-1
fixed
trixie
2.6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openvpn
bionic
Fixed 2.4.4-2ubuntu1.5
released
eoan
ignored
focal
Fixed 2.4.7-1ubuntu2.20.04.2
released
groovy
not-affected
hirsute
not-affected
trusty
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
openvpn
suse enterprise desktop 15 SP2
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP3
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise desktop 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise desktop 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise desktop 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise sap 15 SP2
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP3
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise sap 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise sap 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise server 15 SP2
2.4.3-5.7.1
fixed
suse enterprise server 15 SP3
2.4.3-5.7.1
fixed
suse enterprise server 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise server 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise server 15 SP7
2.6.8-150600.3.14.1
fixed
openvpn-auth-pam-plugin
suse enterprise desktop 15 SP2
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP3
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise desktop 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise desktop 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise desktop 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise sap 15 SP2
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP3
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise sap 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise sap 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise server 15 SP2
2.4.3-5.7.1
fixed
suse enterprise server 15 SP3
2.4.3-5.7.1
fixed
suse enterprise server 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise server 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise server 15 SP7
2.6.8-150600.3.14.1
fixed
openvpn-dco
suse enterprise desktop 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise sap 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise server 15 SP7
2.6.8-150600.3.14.1
fixed
openvpn-dco-devel
suse enterprise desktop 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise sap 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise server 15 SP7
2.6.8-150600.3.14.1
fixed
openvpn-devel
suse enterprise desktop 15 SP2
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP3
2.4.3-5.7.1
fixed
suse enterprise desktop 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise desktop 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise desktop 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise desktop 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise sap 15 SP2
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP3
2.4.3-5.7.1
fixed
suse enterprise sap 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise sap 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise sap 15 SP7
2.6.8-150600.3.14.1
fixed
suse enterprise server 15 SP2
2.4.3-5.7.1
fixed
suse enterprise server 15 SP3
2.4.3-5.7.1
fixed
suse enterprise server 15 SP4
2.5.5-150400.1.5
fixed
suse enterprise server 15 SP5
2.5.6-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.6.8-150600.1.5
fixed
suse enterprise server 15 SP7
2.6.8-150600.3.14.1
fixed
Common Weakness Enumeration
References
https://bugzilla.suse.com/show_bug.cgi?id=1169925
https://community.openvpn.net/openvpn/ticket/1272
https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab
https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGHHV4YZANZW45KZTJJGVGPFMSXYRCKZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JII7RYYYRBPQNEGGVSOXCM7JUZ43T3VH/
https://patchwork.openvpn.net/patch/1079/
https://security-tracker.debian.org/tracker/CVE-2020-11810
https://bugzilla.suse.com/show_bug.cgi?id=1169925
https://community.openvpn.net/openvpn/ticket/1272
https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab
https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGHHV4YZANZW45KZTJJGVGPFMSXYRCKZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JII7RYYYRBPQNEGGVSOXCM7JUZ43T3VH/
https://patchwork.openvpn.net/patch/1079/
https://security-tracker.debian.org/tracker/CVE-2020-11810