cbcvebase.
CVE-2022-0547
published 2022-03-18

CVE-2022-0547: OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.52%
87.8th percentile
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianopenvpn< openvpn 2.5.6-1 (bookworm)openvpn 2.5.6-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
openvpnopenvpn
openvpnopenvpn>= 0 < 2.5.1-3+deb11u12.5.1-3+deb11u1
openvpnopenvpn>= 0 < 2.5.6-12.5.6-1
openvpnopenvpn>= 0 < 2.5.6-12.5.6-1
openvpnopenvpn>= 0 < 2.5.6-12.5.6-1
openvpnopenvpn>= 2.1.0 < 2.4.122.4.12
openvpnopenvpn>= 2.5.0 < 2.5.62.5.6

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass is only possible when more than one external authentication plugin is configured AND both make use of deferred authentication replies — monitor OpenVPN configurations for multiple auth plugins with deferred auth enabled
  • Successful exploitation results in access being granted with only partially correct credentials — alert on successful OpenVPN authentications that are anomalous (e.g., unexpected source IPs, off-hours logins) against deployments running multiple auth plugins
  • Affected versions are OpenVPN 2.1 through 2.4.12 and through 2.5.6 (exclusive) — flag any OpenVPN instances reporting version strings in these ranges
  • ·Vulnerability is only exploitable when multiple external authentication plugins are simultaneously configured with deferred authentication — single-plugin or non-deferred configurations are not affected
  • ·Debian scopes this as 'local' scope — review your deployment context; fixed versions are 2.4.12+ and 2.5.6+ (upstream), 2.5.6-1 (Debian bookworm/sid/trixie/forky), and 2.5.1-3+deb11u1 (Debian bullseye)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.