CVE-2022-0547 OpenVPN may allow authentication bypass if more than one external authentication plugin uses deferred replies, which allows access to the user with only partially confirmed data.

CVE-2022-0547 OpenVPN may allow authentication bypass if more than one external authentication plugin uses deferred replies, which allows access to the user with only partially confirmed data.

This issue has been addressed in the latest releases of OpenVPN. To prevent this from happening, it is advised to limit the number of external authentication plug-ins to be less than the number of external access servers. If you are using pre-2.4.12 or 2.4.12 and older releases, do not use external authentication plug-ins. They were not secure.
Reduced the number of DNS queries to reduce the chances of DNS leaks. Previously, OpenVPN would make DNS queries to discover the IP address of the remote end, and would not change the address until connectivity was lost. This meant that if there were DNS issues, connectivity would be lost before the OpenVPN client could update the IP address. This issue has been resolved by no longer making DNS queries until there is connectivity loss.
Reduced the memory usage of the systemtap script on the server side. Previously, if the server was running low on memory, OpenVPN would start to allocate more memory than the low-memory systemtap script could handle, causing the OpenVPN process to crash. This issue has been resolved by reducing the memory allocation range to avoid exceeding the low-memory systemtap script.
Reduced the amount of CPU time consumed by systemtap scripts on the server side. Previously, if the server was running low on CPU, OpenVPN would start to allocate more CPU time than the low-CPU systemtap script could handle, causing the OpenVPN process to crash. This issue has

Supported VPN Providers

OpenVPN is compatible with most of the world's leading VPN providers.
There are two types of VPN providers:
A server-based VPN provider, which manages its own servers and sets up a tunnel between those servers and clients;
A client-based VPN provider, which provides an interface for the user to establish an encrypted connection to another computer that manages its own servers.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe