Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

   openvpn -- illegal client float can break VPN session for other users
                               17 April 2020


        AusCERT Security Bulletin Summary

Product:           openvpn
Publisher:         FreeBSD
Operating System:  FreeBSD
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11810  

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running openvpn check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

openvpn -- illegal client float can break VPN session for other users

Affected packages
  openvpn         < 2.4.8_3
  openvpn-mbedtls < 2.4.8_3
  openvpn-devel   < 202016


VuXML ID  8604121c-7fc2-11ea-bcac-7781e90b0c8f
Discovery 2020-04-13
Entry     2020-04-16

Lev Stipakov and Gert Doering report:

    There is a time frame between allocating peer-id and initializing data
    channel key (which is performed on receiving push request or on async
    push-reply) in which the existing peer-id float checks do not work right.

    If a "rogue" data channel packet arrives during that time frame from
    another address and with same peer-id, this would cause client to float to
    that new address.

    The net effect of this behaviour is that the VPN session for the "victim
    client" is broken. Since the "attacker client" does not have suitable keys,
    it can not inject or steal VPN traffic from the other session. The time
    window is small and it can not be used to attack a specific client's
    session, unless some other way is found to make it disconnect and reconnect



CVE     CVE-2020-11810
URL     https://community.openvpn.net/openvpn/ticket/1272
URL     https://github.com/OpenVPN/openvpn/commit/
URL     https://patchwork.openvpn.net/patch/1077/
URL     https://sourceforge.net/p/openvpn/openvpn/ci/
URL     https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967