Executive Summary

The vulnerability exists in openvpn-auth-oauth2 versions from 1.26.3 up to but not including 1.27.3 when used in experimental plugin mode. In this mode, clients that do not support WebAuth/SSO, such as the openvpn CLI on Linux, are incorrectly allowed to connect to the VPN even though the authentication logic should deny them. This happens because the plugin's return-code mechanism is not properly enforced in this mode. The default management-interface mode is not affected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized clients that do not support the intended WebAuth/SSO authentication to gain access to the VPN. This means that users who should be denied access might be admitted, potentially exposing the internal network to unauthorized access and increasing the risk of data breaches or other security incidents.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade openvpn-auth-oauth2 to version 1.27.3 or later where the issue has been patched.

Avoid using the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive) with versions between 1.26.3 and before 1.27.3, as this mode is affected.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized clients to bypass authentication and gain access to the VPN, which can lead to unauthorized access to sensitive data.

Such unauthorized access can compromise confidentiality and integrity of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal and health information.

Because the vulnerability results in a critical authentication bypass with a CVSS score of 10.0, it poses a significant risk to maintaining compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when the openvpn-auth-oauth2 plugin is used in experimental plugin mode (shared library loaded by OpenVPN) and incorrectly allows clients that do not support WebAuth/SSO to connect. Detection involves verifying if your OpenVPN server is running openvpn-auth-oauth2 versions from 1.26.3 up to before 1.27.3 in experimental plugin mode.

To detect exploitation attempts or presence of unauthorized clients, you can monitor OpenVPN server logs for connections from clients that do not support WebAuth/SSO, such as the openvpn CLI on Linux, which should normally be denied.

There are no specific commands provided in the available resources to detect this vulnerability directly. However, general steps include:

• Check the version of openvpn-auth-oauth2 plugin in use to confirm if it is within the vulnerable range (1.26.3 to before 1.27.3).
• Inspect OpenVPN server configuration to see if the plugin is loaded in experimental plugin mode via the plugin directive.
• Review OpenVPN logs for unexpected successful authentications from clients known not to support WebAuth/SSO (e.g., openvpn CLI on Linux).
• Use network monitoring tools to identify VPN connections from unauthorized clients.

Upgrading the plugin to version 1.27.3 or later is the recommended mitigation.

Useful 0 Not Useful 0