Mageia: 2020-0195 Critical: OpenVPN Data Channel Vulnerability
mageia
May 5, 2020
Updated openvpn packages fix security vulnerability: An issue was discovered in OpenVPN 2.4.x before 2.4.9
Summary
Updated openvpn packages fix security vulnerability:
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can
inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id.
Normally such packets are dropped, but if this packet arrives before the
data channel crypto parameters have been initialized, the victim's
connection will be dropped. This requires careful timing due to the small
time window (usually within a few seconds) between the victim client
connection starting and the server PUSH_REPLY response back to the client.
This attack will only work if Negotiable Cipher Parameters (NCP) is in
use (CVE-2020-11810).
The openvpn package has been updated to version 2.4.9, fixing the issue
and other bugs. See the upstream release notes for details.
References
- https://bugs.mageia.org/show_bug.cgi?id=26558
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/
- https://www.cve.org/CVERecord?id=CVE-2020-11810
Topics Covered
Resolution
SRPMS
- 7/core/openvpn-2.4.9-1.mga7
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 05 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0195.html
Type: security
CVE: CVE-2020-11810
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!