CVE-2020-15078
First published: Mon Apr 26 2021(Updated: )
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
Credit: security@openvpn.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/openvpn | <2.4.4-2ubuntu1.5 | 2.4.4-2ubuntu1.5 |
| ubuntu/openvpn | <2.4.7-1ubuntu2.20.04.2 | 2.4.7-1ubuntu2.20.04.2 |
| ubuntu/openvpn | <2.4.9-3ubuntu1.1 | 2.4.9-3ubuntu1.1 |
| ubuntu/openvpn | <2.5.1-1ubuntu1.1 | 2.5.1-1ubuntu1.1 |
| ubuntu/openvpn | <2.5.1-2 | 2.5.1-2 |
| ubuntu/openvpn | <2.5.1-2 | 2.5.1-2 |
| ubuntu/openvpn | <2.5.2 | 2.5.2 |
| debian/openvpn | 2.5.1-3 2.6.3-1+deb12u2 2.6.12-1 | |
| OpenVPN | <2.4.11 | |
| OpenVPN | >=2.5.0<2.5.2 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| Ubuntu Linux | =20.10 | |
| Ubuntu Linux | =21.04 | |
| Debian GNU/Linux | =9.0 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Fedora | =34 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 | |
| Ubuntu | =20.10 | |
| Ubuntu | =21.04 | |
| Debian | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
- https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
- https://security.gentoo.org/glsa/202105-25
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
- https://usn.ubuntu.com/usn/usn-4933-1
- https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
- https://launchpad.net/bugs/cve/CVE-2020-15078
- https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573
- https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a
- https://github.com/OpenVPN/openvpn/commit/3aca477a1b58714754fea3a26d0892fffc51db6b
- https://github.com/OpenVPN/openvpn/commit/0e5516a9d656ce86f7fb370c824344ea1760c255
- https://security-tracker.debian.org/tracker/CVE-2020-15078
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
- https://ubuntu.com/security/notices/USN-4933-1
- https://www.cve.org/CVERecord?id=CVE-2020-15078
- https://nvd.nist.gov/vuln/detail/CVE-2020-15078
- https://ubuntu.com/security/CVE-2020-15078
Frequently Asked Questions
What is CVE-2020-15078?
CVE-2020-15078 is a vulnerability in OpenVPN 2.5.1 and earlier versions that allows remote attackers to bypass authentication and access control channel data.
How severe is CVE-2020-15078?
CVE-2020-15078 has a severity rating of 7.5 (High).
What software versions are affected by CVE-2020-15078?
OpenVPN versions 2.4.7-1+deb10u1, 2.5.1-3, 2.6.3-1+deb12u1, and 2.6.3-2 are affected.
How can I fix CVE-2020-15078?
To fix CVE-2020-15078, update OpenVPN to version 2.4.7-1+deb10u1, 2.5.1-3, 2.6.3-1+deb12u1, or 2.6.3-2.
Where can I find more information about CVE-2020-15078?
You can find more information about CVE-2020-15078 at the following references: [link1], [link2], [link3].
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/remedy
- agent/references
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/event
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/ubuntu
- package-manager/debian
- vendor/openvpn
- canonical/openvpn
- version/openvpn/2.5.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- version/ubuntu linux/20.10
- version/ubuntu linux/21.04
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- canonical/fedora
- version/fedora/32
- version/fedora/33
- version/fedora/34
- canonical/ubuntu
- version/ubuntu/18.04
- version/ubuntu/20.04
- version/ubuntu/20.10
- version/ubuntu/21.04
- canonical/debian
- version/debian/9.0