CVE-2020-15078

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
m2847
OpenVpn Newbie
Posts: 3
Joined: Sat Jun 19, 2021 5:38 pm

CVE-2020-15078

Post by m2847 » Sat Jun 19, 2021 6:06 pm

Hi,

Please could I query if anyone knows for sure would TLS auth key's be an effective stop gap mitigation against the below CVE? That's the 'tls-auth' config option see https://openvpn.net/community-resources ... -security/ . The OpenVPN server shouldn't even complete a TLS handshake let alone go through any authentication process if such key's are in effect? If so this CVE should be mitigated while tls-auth is in place? That is if my understanding of this CVE is correct, apologies if it's not?

https://community.openvpn.net/openvpn/w ... 2020-15078

Many Thanks

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: CVE-2020-15078

Post by TinCanTech » Sat Jun 19, 2021 6:57 pm

m2847 wrote:
Sat Jun 19, 2021 6:06 pm
would TLS auth key's be an effective stop gap mitigation against the below CVE?
No, TLS auth key's make no difference. The CVE is in regard to deferred auth only.

m2847
OpenVpn Newbie
Posts: 3
Joined: Sat Jun 19, 2021 5:38 pm

Re: CVE-2020-15078

Post by m2847 » Sat Jun 19, 2021 7:49 pm

Many thanks for your reply TinCanTech.

Apologies re-reading I think my initial query was not the clearest and mitigate is the wrong word. To clarify my query would be in relation to the scenario of an unknown/random remote agent attempting to connect to an OpenVPN server and potentially exploiting this CVE. That tls-auth might prevent that by blocking any initial attempts at connecting to begin with; before the authentication stage where this CVE resides? That it would be an extra hurdle at least any attacker would need to overcome in order to potentially exploit in that they would need the tls-auth key to start with?

In addition to confirm 'deferred auth' I believe applies in scenarios where the OpenVPN server utilises LDAP or Radius for authentication? Where the auth-user-pass-verify and auth-user-pass options are in effect and the server uses the 'plugin' option to reference an auth source? Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: CVE-2020-15078

Post by TinCanTech » Sat Jun 19, 2021 8:02 pm

If your imaginary adversary does not have access to a valid openvpn client configuration file then they cannot get to the stage of exploiting deferred-auth. A TLS-Auth key is a public key and has no inherent security.
m2847 wrote:
Sat Jun 19, 2021 7:49 pm
Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.
Then you have not been using it and can soundly sleep at night.

m2847
OpenVpn Newbie
Posts: 3
Joined: Sat Jun 19, 2021 5:38 pm

Re: CVE-2020-15078

Post by m2847 » Mon Jun 21, 2021 7:27 pm

Many thanks for your help TinCanTech

Post Reply