Security Advisory

Access Server Security Update (CVE-2020-15077, CVE-2020-36382)


OpenVPN Access Server uses OpenVPN 2 codebase at its core for VPN connections. This codebase contains a vulnerability that allows a remote attacker to bypass authentication and access control channel data on servers configured with deferred authentication. It is possible that this control channel data could be used to trigger further information leaks or gain access to protected networks. If the client-side scripting feature is in use, these scripts could be obtained through such an attack. If those scripts contain sensitive information, this information could be compromised. To exploit this vulnerability, the attacker must have a valid, user-locked or auto-login client profile for the vulnerable Access Server, or credentials to obtain such a profile. Although exploiting this vulnerability requires some preparation on the attacker's side, the severity of a successful attack is high to critical, depending on the gained information. Additionally it was found that it was possible to do a Denial of Service attack using a similar method in the OpenVPN Access Server. We therefore strongly recommend upgrading your Access Server to the latest version to address the vulnerability.


Update your OpenVPN Access Server to version 2.8.8 as soon as possible, which contains the fix for this vulnerability. The procedure on how to upgrade Access Server can be found here: Keeping OpenVPN Access Server Updated. The CVE's we published for this are CVE-2020-36382 and CVE-2020-15077 and are related to the open source OpenVPN 2 project CVE report CVE-2020-15078.