Vulnerability Name:

CVE-2020-15078 (CCN-200770)

Assigned:2020-06-25
Published:2020-06-25
Updated:2022-08-05
Summary:OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-306
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-15078

Source: CCN
Type: OpenVPN Web site
OpenVPN

Source: MISC
Type: Patch, Vendor Advisory
https://community.openvpn.net/openvpn/wiki/CVE-2020-15078

Source: MISC
Type: Broken Link
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

Source: XF
Type: UNKNOWN
openvpn-cve202015078-info-disc(200770)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220503 [SECURITY] [DLA 2992-1] openvpn security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-242ef81244

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d6b9d8497b

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-b805c26afa

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-25

Source: UBUNTU
Type: Third Party Advisory
https://usn.ubuntu.com/usn/usn-4933-1

Source: CCN
Type: IBM Security Bulletin 6479935 (MaaS360)
A vulnerability was identified and remediated in the IBM MaaS360 Cloud Extender (V2.103.000.051) and Modules

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-15078

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openvpn:openvpn:*:*:*:*:*:*:*:* (Version < 2.4.11)
  • OR cpe:/a:openvpn:openvpn:*:*:*:*:*:*:*:* (Version >= 2.5.0 and < 2.5.2)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openvpn:openvpn:2.5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7727
    P
    		openvpn-2.5.6-150400.3.6.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:696
    P
    		Security update for webkit2gtk3 (Important)
    2022-08-16
    oval:org.opensuse.security:def:3133
    P
    		libXRes1-1.0.7-3.53 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3597
    P
    		libgme0-0.6.0-5.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3407
    P
    		xorg-x11-libs-7.6-45.14 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94763
    P
    		openvpn-2.5.5-150400.1.5 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94519
    P
    		clamav-0.103.5-3.35.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95233
    P
    		Security update for ucode-intel (Moderate)
    2022-05-18
    oval:org.opensuse.security:def:6009
    P
    		Security update for the Linux Kernel (Important)
    2022-04-14
    oval:org.opensuse.security:def:113069
    P
    		openvpn-2.5.3-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:101946
    P
    		Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP3) (Important)
    2021-12-14
    oval:org.opensuse.security:def:106507
    P
    		openvpn-2.5.3-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:101232
    P
    		python3-bottle-0.12.13-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:111385
    P
    		Security update for openvpn (Moderate)
    2021-05-15
    oval:org.opensuse.security:def:60252
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:73618
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:40702
    P
    		Security update for openvpn-openssl1 (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:96941
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:67098
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:42827
    P
    		Security update for openvpn-openssl1 (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:107898
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:64496
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:73808
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:32916
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:45132
    P
    		Security update for openvpn-openssl1 (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:5685
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:108612
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:64686
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:75842
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:34429
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:117413
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:58739
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:37542
    P
    		Security update for openvpn-openssl1 (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:66774
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:76166
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:87380
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    BACK
    openvpn openvpn *
    openvpn openvpn *
    fedoraproject fedora 32
    fedoraproject fedora 33
    fedoraproject fedora 34
    canonical ubuntu linux 18.04
    canonical ubuntu linux 20.04
    canonical ubuntu linux 20.10
    canonical ubuntu linux 21.04
    debian debian linux 9.0
    openvpn openvpn 2.5.0