openvpn: Denial of Service -- Remote with User Interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1359
   openvpn -- illegal client float can break VPN session for other users
                               17 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openvpn
Publisher:         FreeBSD
Operating System:  FreeBSD
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11810  

Original Bulletin: 
   http://www.vuxml.org/freebsd/8604121c-7fc2-11ea-bcac-7781e90b0c8f.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running openvpn check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

openvpn -- illegal client float can break VPN session for other users

Affected packages
  openvpn         < 2.4.8_3
  openvpn-mbedtls < 2.4.8_3
  openvpn-devel   < 202016

Details

VuXML ID  8604121c-7fc2-11ea-bcac-7781e90b0c8f
Discovery 2020-04-13
Entry     2020-04-16

Lev Stipakov and Gert Doering report:

    There is a time frame between allocating peer-id and initializing data
    channel key (which is performed on receiving push request or on async
    push-reply) in which the existing peer-id float checks do not work right.

    If a "rogue" data channel packet arrives during that time frame from
    another address and with same peer-id, this would cause client to float to
    that new address.

    The net effect of this behaviour is that the VPN session for the "victim
    client" is broken. Since the "attacker client" does not have suitable keys,
    it can not inject or steal VPN traffic from the other session. The time
    window is small and it can not be used to attack a specific client's
    session, unless some other way is found to make it disconnect and reconnect
    first.

    [source]

References

CVE     CVE-2020-11810
URL     https://community.openvpn.net/openvpn/ticket/1272
URL     https://github.com/OpenVPN/openvpn/commit/
        f7b318f811bb43c0d3aa7f337ec6242ed2c33881
URL     https://patchwork.openvpn.net/patch/1077/
URL     https://sourceforge.net/p/openvpn/openvpn/ci/
        f7b318f811bb43c0d3aa7f337ec6242ed2c33881/
URL     https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/
        msg19720.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpkksWaOgq3Tt24GAQhUzhAAsfWfDVSl0iGwZ2OqU5MbGh114ogzJA5k
ItJi586glFp4B29xTpRv8dq++wltldKlroi64TFRUeWmg37AYSTm3PLLdtW+c9cE
+EFc5P74+hv5ywBNN9KTB56nLOXK63XiQS4J8rscnikebkPvSSHk6NJ2NRsSw3ou
CrHmbv9VEwMGAyeW0Oz8o8fvKJALMaduFKxg0oeaO5aYkPOaRXAesdsoWP5XJHjU
jYLpGWSfGCE2uBEqvDPGzjcYbb8/woksZI/+MPLJtuQCYny5Ju49o+c/GXu5ejEM
vv8ACDZNuRTd1Q3jFnStISU8OvcEkA/cXfvn5VamdsIdrEeVsAU2WIebufXPBUhB
KZUms6hApLOgfd566beLdShgJ86GmdTjhxGGF5FrACR85G813RgPnjFA+aouweAl
7M78m8nEMhrzZbav+3mRIufhbE+NwOJdLVkpZlBrt307jQ4TxlOHvRKgzbsyHQFy
G7oczG6ZxZ5WPB2o0Lk46Fkh2AVp+17JSv8G5QS3c17x+ftlqItHpB+UpmvabRVz
S7b9FCHsg4GTV7fcAlU0+NHUhr7USkQshFLh71NhKpDPU5kqGk+d9Z0/sqRaAwoB
a3JHjlh7NQrtzmtJFGcLt/AlIOA3BeJgu/uPB61GdbPVHZoHE7OUgZ2LGGQyhDUg
rl6YyjHXGHY=
=P3Gf
-----END PGP SIGNATURE-----