CVE-2020-11810

Name of the Vulnerable Software and Affected Versions OpenVPN versions 2.4.x through 2.4.8

Description An issue was discovered in OpenVPN where an attacker can inject a data channel v2 (P DATA V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use. The vulnerability can be exploited to redirect a client session to a new IP address and cause a denial of service.

Recommendations For OpenVPN versions 2.4.x through 2.4.8, update to version 2.4.9 to resolve the issue. As a temporary workaround, consider disabling Negotiable Cipher Parameters (NCP) until a patch is available. Restrict access to the vulnerable data channel v2 (P DATA V2) packet to minimize the risk of exploitation. Avoid using the peer-id parameter in the affected API endpoint until the issue is resolved.