Hi,
Please could I query if anyone knows for sure would TLS auth key's be an effective stop gap mitigation against the below CVE? That's the 'tls-auth' config option see https://openvpn.net/community-resources ... -security/ . The OpenVPN server shouldn't even complete a TLS handshake let alone go through any authentication process if such key's are in effect? If so this CVE should be mitigated while tls-auth is in place? That is if my understanding of this CVE is correct, apologies if it's not?
https://community.openvpn.net/openvpn/w ... 2020-15078
Many Thanks
CVE-2020-15078
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Jun 19, 2021 5:38 pm
Re: CVE-2020-15078
Many thanks for your reply TinCanTech.
Apologies re-reading I think my initial query was not the clearest and mitigate is the wrong word. To clarify my query would be in relation to the scenario of an unknown/random remote agent attempting to connect to an OpenVPN server and potentially exploiting this CVE. That tls-auth might prevent that by blocking any initial attempts at connecting to begin with; before the authentication stage where this CVE resides? That it would be an extra hurdle at least any attacker would need to overcome in order to potentially exploit in that they would need the tls-auth key to start with?
In addition to confirm 'deferred auth' I believe applies in scenarios where the OpenVPN server utilises LDAP or Radius for authentication? Where the auth-user-pass-verify and auth-user-pass options are in effect and the server uses the 'plugin' option to reference an auth source? Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.
Apologies re-reading I think my initial query was not the clearest and mitigate is the wrong word. To clarify my query would be in relation to the scenario of an unknown/random remote agent attempting to connect to an OpenVPN server and potentially exploiting this CVE. That tls-auth might prevent that by blocking any initial attempts at connecting to begin with; before the authentication stage where this CVE resides? That it would be an extra hurdle at least any attacker would need to overcome in order to potentially exploit in that they would need the tls-auth key to start with?
In addition to confirm 'deferred auth' I believe applies in scenarios where the OpenVPN server utilises LDAP or Radius for authentication? Where the auth-user-pass-verify and auth-user-pass options are in effect and the server uses the 'plugin' option to reference an auth source? Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: CVE-2020-15078
If your imaginary adversary does not have access to a valid openvpn client configuration file then they cannot get to the stage of exploiting deferred-auth. A TLS-Auth key is a public key and has no inherent security.
Then you have not been using it and can soundly sleep at night.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Jun 19, 2021 5:38 pm
Re: CVE-2020-15078
Many thanks for your help TinCanTech