PT-2022-2043 · Openvpn+7 · Openvpn+7

David Sommerseth

·

Published

2022-03-18

·

Updated

2025-10-20

·

CVE-2022-0547

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions OpenVPN versions 2.1 through 2.4.12 OpenVPN versions 2.5.6 and earlier
Description The issue is related to a flaw in the authentication procedure, which can be exploited by a remote attacker to bypass authentication and gain access to confidential information. This occurs when multiple external authentication plug-ins use deferred authentication replies, allowing an external user to be granted access with only partially correct credentials.
Recommendations For OpenVPN versions 2.1 through 2.4.12, update to a version later than 2.4.12 to resolve the issue. For OpenVPN versions 2.5.6 and earlier, update to a version later than 2.5.6 to resolve the issue. As a temporary workaround, consider disabling the use of multiple external authentication plug-ins that make use of deferred authentication replies until a patch is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-305

Related Identifiers

ALT-PU-2022-1915
ALT-PU-2022-1936
ALT-PU-2022-2268
ALT-PU-2022-2690
BDU:2022-01642
CVE-2022-0547
DLA-2992-1
DLA-4079-1
MGASA-2022-0123
OESA-2022-1612
OPENSUSE-SU-2022:1029-1
OPENSUSE-SU-2022_1029-1
OPENSUSE-SU-2022_1934-1
OPENSUSE-SU-2024:11968-1
SUSE-SU-2022:1024-1
SUSE-SU-2022:1029-1
SUSE-SU-2022:14937-1
SUSE-SU-2022:1934-1
SUSE-SU-2022_1024-1
SUSE-SU-2022_1029-1
SUSE-SU-2022_14937-1
SUSE-SU-2022_1934-1
USN-5347-1
USN-6850-1

Affected Products

Alt Linux
Astra Linux
Debian
Linuxmint
Openvpn
Red Os
Suse
Ubuntu