Bug 1186876 – VUL-1: CVE-2020-36382: openvpn: OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger a a denial of service during the user authentication phase

Bug 1186876 - (CVE-2020-36382) VUL-1: CVE-2020-36382: openvpn: OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger a a denial of service during the user authentication phase

(CVE-2020-36382)
Summary:	VUL-1: CVE-2020-36382: openvpn: OpenVPN Access Server 2.7.3 to 2.8.7 allows r...

Status:	RESOLVED DUPLICATE of bug 1185279

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/301264/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-06-04 15:35 UTC by Gianluca Gabrielli
Modified:	2021-06-04 15:35 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-06-04 15:35:01 UTC

OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an
assert during the user authentication phase via incorrect authentication token
data in an early phase of the user authentication resulting in a denial of
service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36382
https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/
https://openvpn.net/vpn-server-resources/release-notes/

Comment 1 Gianluca Gabrielli 2021-06-04 15:35:22 UTC

This only affect the closed source version of OpenVPN (OpenVPN Access Server). The same vulnerability has been addressed in the open source OpenVPN codebase as CVE-2020-15078 (bsc#1185279).

*** This bug has been marked as a duplicate of bug 1185279 ***