CVE-2020-15078: 
OpenVPN vulnerability analysis and mitigation

OpenVPN 2.5.1 and earlier versions contains a security vulnerability identified as CVE-2020-15078. The vulnerability allows remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, potentially leading to information leaks. This vulnerability affects all OpenVPN versions up to and including 2.5.1 (NVD).

The vulnerability stems from incorrect handling of deferred authentication in OpenVPN servers. It has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD). The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-305 (Authentication Bypass by Primary Weakness).

When exploited, this vulnerability allows attackers to bypass authentication mechanisms and gain unauthorized access to control channel data on OpenVPN servers that are configured with deferred authentication. This access could potentially be leveraged to trigger additional information leaks (Ubuntu Security).

The vulnerability has been patched in OpenVPN version 2.5.2. System administrators are advised to upgrade to this version or later. As a temporary workaround, servers can be configured to not use deferred authentication. Various Linux distributions have released security updates: Ubuntu users should upgrade to versions 2.5.1-1ubuntu1.1 (21.04), 2.4.9-3ubuntu1.1 (20.10), 2.4.7-1ubuntu2.20.04.2 (20.04), or 2.4.4-2ubuntu1.5 (18.04) (Ubuntu Security).