CVE-2020-36382
📋 TL;DR
CVE-2020-36382 is a denial-of-service vulnerability in OpenVPN Access Server where remote attackers can trigger an assertion failure during user authentication by sending malformed authentication token data. This causes the OpenVPN service to crash, disrupting VPN connectivity. Organizations running OpenVPN Access Server versions 2.7.3 through 2.8.7 with internet-facing VPN endpoints are affected.
💻 Affected Systems
- OpenVPN Access Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete VPN service outage affecting all users, requiring manual service restart and potentially disrupting critical remote access operations.
Likely Case
Intermittent VPN service disruptions affecting authentication processes, requiring service restarts and causing user connectivity issues.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and service restoration.
🎯 Exploit Status
Exploitation requires sending malformed authentication data but does not require valid credentials. The vulnerability is in the authentication handling code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenVPN Access Server 2.8.8 and later
Vendor Advisory: https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update to OpenVPN Access Server 2.8.8 or later using package manager or installer. 3. Restart OpenVPN services. 4. Verify service is running and clients can connect.
🔧 Temporary Workarounds
Network Filtering
linuxImplement network filtering to restrict access to OpenVPN authentication endpoints to trusted IP addresses only.
iptables -A INPUT -p tcp --dport 443 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit OpenVPN authentication endpoint exposure to only necessary IP ranges.
- Deploy monitoring and alerting for OpenVPN service crashes with automated restart capabilities.
🔍 How to Verify
Check if Vulnerable:
Check OpenVPN Access Server version: cat /usr/local/openvpn_as/init.log | grep 'OpenVPN Access Server'Check Version:
cat /usr/local/openvpn_as/init.log | grep 'OpenVPN Access Server'Verify Fix Applied:
Verify version is 2.8.8 or higher and test authentication with valid and malformed tokens.📡 Detection & Monitoring
Log Indicators:
- OpenVPN service crashes
- Authentication assertion failures in logs
- Unexpected authentication token errors
Network Indicators:
- Multiple failed authentication attempts from single source
- Unusual authentication packet patterns
SIEM Query:
source="openvpn" AND ("assert" OR "crash" OR "authentication failure")🔗 References
- https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/
- https://openvpn.net/vpn-server-resources/release-notes/
- https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/
- https://openvpn.net/vpn-server-resources/release-notes/
