[OpenVPN-NL] CVE-2022-0547: Possible auth-bypass when using multiple deferred-auth plugins

18 Mar 2022


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A potential authentication bypass vulnerability has been reported in
OpenVPN. This vulnerability was assigned CVE-2022-0547. All versions
of OpenVPN-NL 2.4.x are affected as well.
When using multiple deferred authentication plugins in an OpenVPN
server, it can happen that a user is admitted even if one of the plugins
rejects them.
This bug can be avoided by running at most one deferred authentication
plugin. There is no issue using multiple non-deferred authentication
plugins.
Link to the announcement at openvpn.net:
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
Best regards,
Max Fillinger
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----

iQHXBAEBCABBFiEEXj3Vjj5AbsDlPfHO5IsYow7qaagFAmI07WgjHG1heGltaWxp
YW4uZmlsbGluZ2VyQGZveGNyeXB0by5jb20ACgkQ5IsYow7qaaj8TQv/SwbhiidG
rriwOpZASgu8jrj9dD7pdslBx9y4iUyqvYhn68mi3J/+9U3TKAvJc/QG/VSpUjzH
Q32YRFh8myY7bUrUMsr3w9clJVr94P+yq9VemfXSyMa0cnem+ifLDE0CSOt8Pj6X
nBhYHy/72P4ZEx1+ycrJvGruNgGGcSo40u00KMoclrDdfaOemofWjjGTF6UcNGh7
a9XysNhc8ylRODjH0t+Q4oM8BkjKgoX89B/2+f33R0Zv6c7LLGf4ghYGfxQ4LfNy
DPpeONTArOe9Dh1GZcGMCo0gbAiLMMbI7YOVETKiK9uTQCMi2JdoIerBU9kbx/7q
wi0n+iWKT1ptHlzl8t3UVjJTif4nzRdeaRzpiRwDfY0mF/+Ig2luhzcizLlMaZj8
piD8HvtdPFLOUN7+Ff+Xw27GN021Rg7Uy2NC95dpDFKvSUTWKd8e5x+qH/KXzII/
LGL4WHczDjmjaxUduDb6CR5Z2cQgNdFqG8cm1KWSuFdiMGq0zLzREyVp
=wAlk
-----END PGP SIGNATURE-----

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[OpenVPN-NL] CVE-2022-0547: Possible auth-bypass when using multiple deferred-auth plugins