[OpenVPN-NL] CVE-2022-0547: Possible auth-bypass when using multiple deferred-auth plugins
Max Fillinger
maximilian.fillinger at foxcrypto.com
Fri Mar 18 21:41:51 CET 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A potential authentication bypass vulnerability has been reported in
OpenVPN. This vulnerability was assigned CVE-2022-0547. All versions
of OpenVPN-NL 2.4.x are affected as well.
When using multiple deferred authentication plugins in an OpenVPN
server, it can happen that a user is admitted even if one of the plugins
rejects them.
This bug can be avoided by running at most one deferred authentication
plugin. There is no issue using multiple non-deferred authentication
plugins.
Link to the announcement at openvpn.net:
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
Best regards,
Max Fillinger
-----BEGIN PGP SIGNATURE-----
iQHXBAEBCABBFiEEXj3Vjj5AbsDlPfHO5IsYow7qaagFAmI07WgjHG1heGltaWxp
YW4uZmlsbGluZ2VyQGZveGNyeXB0by5jb20ACgkQ5IsYow7qaaj8TQv/SwbhiidG
rriwOpZASgu8jrj9dD7pdslBx9y4iUyqvYhn68mi3J/+9U3TKAvJc/QG/VSpUjzH
Q32YRFh8myY7bUrUMsr3w9clJVr94P+yq9VemfXSyMa0cnem+ifLDE0CSOt8Pj6X
nBhYHy/72P4ZEx1+ycrJvGruNgGGcSo40u00KMoclrDdfaOemofWjjGTF6UcNGh7
a9XysNhc8ylRODjH0t+Q4oM8BkjKgoX89B/2+f33R0Zv6c7LLGf4ghYGfxQ4LfNy
DPpeONTArOe9Dh1GZcGMCo0gbAiLMMbI7YOVETKiK9uTQCMi2JdoIerBU9kbx/7q
wi0n+iWKT1ptHlzl8t3UVjJTif4nzRdeaRzpiRwDfY0mF/+Ig2luhzcizLlMaZj8
piD8HvtdPFLOUN7+Ff+Xw27GN021Rg7Uy2NC95dpDFKvSUTWKd8e5x+qH/KXzII/
LGL4WHczDjmjaxUduDb6CR5Z2cQgNdFqG8cm1KWSuFdiMGq0zLzREyVp
=wAlk
-----END PGP SIGNATURE-----
More information about the list-openvpn-nl
mailing list