Security Advisory Detail

OpenVPN Unauthenticated Access To Control Channel Data (CVE-2020-15078)

Advisory ID
WGSA-2022-00020
CVE
CVE-2020-15078
Impact
High
Status
Investigating
Product Family
Firebox
Published Date
Updated Date
Workaround Available
True
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary

A bug found in OpenVPN that may also apply to Watchguard Mobile VPN could allow a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication which can be used to potentially trigger further information leaks. Based off the limited vulnerability details we believe this vulnerability may impact Fireware OS releases after 12.5.3 and have updated the version of OpenSSL included in Fireware OS 12.8.1 out of an abundance of caution.

Affected

Fireware OS before 12.8.1 and 12.5.3 up to and including 12.5.10.

Note: Firebox Fireware OS 12.1.x and before is not vulnerable

Resolution

Resolved in Fireware OS 12.8.1 release

Advisory Product List
Product Family
Product Branch
Product List
Firebox
Firebox T (2nd Gen)
T15, T15-W, T35, T35-W, T35-R, T55, T55-W, T70
Firebox
Firebox T (3rd Gen)
T20, T20-W, T40, T40-W, T80
Firebox
Firebox M (2nd Gen)
M270, M370, M470, M570, M670
Firebox
Firebox M (3rd Gen)
M290, M390, M590, M690, M4800, M5800
Firebox
FireboxV
Small, Medium, Large, XLarge
Firebox
FireboxCloud
Small, Medium, Large, XLarge