Versions Affected : All versions prior to TrueNAS 12.0-U3.1

Description

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.

Workaround

No workaround is available. However, systems that do not use OpenVPN are not vulnerable.

Mitigation

Upgrade to 12.0-U3.1 or later

Commit

TrueNAS Jira Ticket NAS-110465
TrueNAS PR
FreeBSD Ports Commit

Further information

NIST CVE-2020-15078 Entry
MITRE CVE-2020-15078 Entry
OpenVPN Project Announcement