CVE-2020-11810

27.04.2020, 15:15

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
openvpn	openvpn	2.4.0 ≤ 𝑥 < 2.4.9
debian	debian_linux	8.0
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

openvpn

bullseye	2.5.1-3 fixed
jessie	not-affected
bookworm	2.6.3-1+deb12u2 fixed
bookworm (security)	2.6.3-1+deb12u2 fixed
sid	2.6.12-1 fixed
trixie	2.6.12-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

openvpn

hirsute	not-affected
groovy	not-affected
focal	Fixed 2.4.7-1ubuntu2.20.04.2 released
eoan	ignored
bionic	Fixed 2.4.4-2ubuntu1.5 released
xenial	not-affected
trusty	not-affected