Description:
We have identified a possible issue that could lead to LDAP authentication bypass on OpenVPN Access Server 2.8.0. We investigated this and were able to reproduce the problem. It has been discovered that when using an LDAP authentication system in combination with the Access Server version 2.8.0 (other versions are not affected) that there is a security flaw with the login process. Customers that are using two factor authentication, which many fortunately do, are still protected thanks to the extra security factor. Regardless, we recommend that people that are running Access Server 2.8.0 in combination with LDAP to upgrade to the latest version immediately.
Customers that are using Access Server without LDAP are not affected by this issue. Customers using a version of Access Server other than 2.8.0 are also not affected.
Resolution:
If you are running Access Server 2.8.0 and you use LDAP authentication, you should update to the latest version as soon as possible. We released this version within hours after we were able to reproduce this problem. We are also submitting a CVE report for full transparency and to make people aware that they should update. The CVE we published for this is here: CVE-2020-9853.