FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins

Affected packages
openvpn < 2.5.6
openvpn-mbedtls < 2.5.6

Details

VuXML ID 45a72180-a640-11ec-a08b-85298243e224
Discovery 2022-03-10
Entry 2022-03-17

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

References

CVE Name CVE-2022-0547
URL https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
URL https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256