Page 1 of 1
CVE-2020-15078
Posted: Sat Jun 19, 2021 6:06 pm
by m2847
Hi,
Please could I query if anyone knows for sure would TLS auth key's be an effective stop gap mitigation against the below CVE? That's the 'tls-auth' config option see
https://openvpn.net/community-resources ... -security/ . The OpenVPN server shouldn't even complete a TLS handshake let alone go through any authentication process if such key's are in effect? If so this CVE should be mitigated while tls-auth is in place? That is if my understanding of this CVE is correct, apologies if it's not?
https://community.openvpn.net/openvpn/w ... 2020-15078
Many Thanks
Re: CVE-2020-15078
Posted: Sat Jun 19, 2021 6:57 pm
by TinCanTech
m2847 wrote: ↑Sat Jun 19, 2021 6:06 pm
would TLS auth key's be an effective stop gap mitigation against the below CVE?
No, TLS auth key's make no difference. The CVE is in regard to deferred auth only.
Re: CVE-2020-15078
Posted: Sat Jun 19, 2021 7:49 pm
by m2847
Many thanks for your reply TinCanTech.
Apologies re-reading I think my initial query was not the clearest and mitigate is the wrong word. To clarify my query would be in relation to the scenario of an unknown/random remote agent attempting to connect to an OpenVPN server and potentially exploiting this CVE. That tls-auth might prevent that by blocking any initial attempts at connecting to begin with; before the authentication stage where this CVE resides? That it would be an extra hurdle at least any attacker would need to overcome in order to potentially exploit in that they would need the tls-auth key to start with?
In addition to confirm 'deferred auth' I believe applies in scenarios where the OpenVPN server utilises LDAP or Radius for authentication? Where the auth-user-pass-verify and auth-user-pass options are in effect and the server uses the 'plugin' option to reference an auth source? Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.
Re: CVE-2020-15078
Posted: Sat Jun 19, 2021 8:02 pm
by TinCanTech
If your imaginary adversary does not have access to a valid openvpn client configuration file then they cannot get to the stage of exploiting deferred-auth. A TLS-Auth key is a public key and has no inherent security.
m2847 wrote: ↑Sat Jun 19, 2021 7:49 pm
Apologies I don't seem to be able to locate an exact definition of 'deferred auth' in the context of OpenVPN.
Then you have not been using it and can soundly sleep at night.
Re: CVE-2020-15078
Posted: Mon Jun 21, 2021 7:27 pm
by m2847
Many thanks for your help TinCanTech