user/openvpn: CVE-2020-11810: clients can kill eachother's sessions via false client floating
Bugzilla ID | 265 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-04-17 09:31:27 -0500 |
Modified | 2020-04-19 00:54:45 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
URL | https://community.openvpn.net/openvpn/ticket/1272 |
Description
One client can effectively stop VPN traffic of another client by
'client float' mechanism in case of reuse peer_id. This allows
disrupting service of a freshly connected client that has not yet not
negotiated session keys. The vulnerability cannot be used to inject or
steal VPN traffic.
Fixed in >= 2.4.9.