David Sommerseth

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions 2.1 through 2.4.12 OpenVPN versions 2.5.6 and earlier **Description** The issue is related to a flaw in the authentication procedure, which can be exploited by a remote attacker to bypass authentication and gain access to confidential information. This occurs when multiple external authentication plug-ins use deferred authentication replies, allowing an external user to be granted access with only partially correct credentials. **Recommendations** For OpenVPN versions 2.1 through 2.4.12, update to a version later than 2.4.12 to resolve the issue. For OpenVPN versions 2.5.6 and earlier, update to a version later than 2.5.6 to resolve the issue. As a temporary workaround, consider disabling the use of multiple external authentication plug-ins that make use of deferred authentication replies until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions 2.5.1 and earlier **Description** The issue allows a remote attacker to bypass authentication and access control channel data on servers configured with deferred authentication. This can potentially be used to trigger further information leaks. The vulnerability is related to the deferred authentication function, which can be exploited to force the server to return a PUSH REPLY message with VPN settings before sending an AUTH FAILED message. **Recommendations** For OpenVPN versions 2.5.1 and earlier, update to version 2.5.2 to fix the security vulnerabilities. As a temporary workaround, consider disabling the deferred authentication feature until a patch is available. Restrict access to the control channel to minimize the risk of exploitation. Avoid using the `--auth-gen-token` option or user-specific token auth solutions in combination with deferred authentication until the issue is resolved.