CVE-2020-7042
Description
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
openfortivpn 1.11.0 fails to validate TLS certificates due to use of uninitialized memory in the hostname check, causing valid certificates to be rejected.
Vulnerability
In openfortivpn version 1.11.0, when used with OpenSSL 1.0.2 or later, the function tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory [1]. This results in a valid certificate never being accepted; only a malformed certificate may be accepted [1]. The issue was fixed in version 1.12.0 [2].
Exploitation
An attacker does not need to exploit this actively; the vulnerability is a denial-of-service condition where legitimate connections are rejected. However, if an attacker can provide a malformed certificate, it might be incorrectly accepted, potentially allowing a man-in-the-middle attack. The attacker would need to be in a position to intercept the VPN connection and present a crafted certificate.
Impact
The primary impact is that valid certificates are never accepted, preventing successful VPN connections. In the worst case, a malformed certificate could be accepted, leading to potential authentication bypass and man-in-the-middle attacks, compromising confidentiality and integrity of the VPN traffic.
Mitigation
The vulnerability is fixed in openfortivpn version 1.12.0 [2]. Users should upgrade to this version or later. No workaround is documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- openfortivpn/openfortivpndescription
- Range: = 1.11.0
- osv-coords3 versionspkg:rpm/opensuse/openfortivpn&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/openfortivpn&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openfortivpn&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.12.0-lp151.2.5.1+ 2 more
- (no CPE)range: < 1.12.0-lp151.2.5.1
- (no CPE)range: < 1.17.1-1.1
- (no CPE)range: < 1.12.0-bp151.3.3.1
Patches
2cd9368c6a1b4openfortivpn version 1.12.0
2 files changed · +13 −1
CHANGELOG.md+12 −0 modified@@ -14,6 +14,18 @@ Releases This high level changelog is usually updated when a release is tagged. On the master branch there may be changes that are not (yet) described here. +### 1.12.0 + +* [-] fix CVE-2020-7043: TLS Certificate CommonName NULL Byte Vulnerability +* [-] fix CVE-2020-7042: use of uninitialized memory in X509_check_host +* [-] fix CVE-2020-7041: incorrect use of X509_check_host (regarding return value). +* [-] always hide cleartest password in -vv output +* [+] add a clear warning about sensitive information in the debug output +* [+] add a hint in debug output when password is read from config file +* [-] fix segfault when connecting with empty password +* [+] use resolvconf if available to update resolv.conf file +* [~] replace semicolon by space in dns-suffix string + ### 1.11.0 * [+] allow to connect with empty password (and with smartcard instead of username)
configure.ac+1 −1 modified@@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.63]) -AC_INIT([openfortivpn], [1.11.0]) +AC_INIT([openfortivpn], [1.12.0]) AC_CONFIG_SRCDIR([src/main.c]) AM_INIT_AUTOMAKE([foreign subdir-objects])
9eee997d599asupply proper input buffer to X509_check_host
1 file changed · +5 −3
src/tunnel.c+5 −3 modified@@ -652,7 +652,6 @@ static int ssl_verify_cert(struct tunnel *tunnel) char *line; int i; X509_NAME *subj; - char common_name[FIELD_SIZE + 1]; SSL_set_verify(tunnel->ssl_handle, SSL_VERIFY_PEER, NULL); @@ -666,10 +665,13 @@ static int ssl_verify_cert(struct tunnel *tunnel) #ifdef HAVE_X509_CHECK_HOST // Use OpenSSL native host validation if v >= 1.0.2. - // correctly check return value of X509_check_host - if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL) == 1) + // compare against gateway_host and correctly check return value + // to fix piror Incorrect use of X509_check_host + if (X509_check_host(cert, tunnel->config->gateway_host, + 0, 0, NULL) == 1) cert_valid = 1; #else + char common_name[FIELD_SIZE + 1]; // Use explicit Common Name check if native validation not available. // Note: this will ignore Subject Alternative Name fields. if (subj
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.opensuse.org/opensuse-security-announce/2020-03/msg00009.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00011.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKNKSGBVYGRRVRLFEFBEKUEJYJR5LWOF/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FF6HYIBREQGATRM5COF57MRQWKOKCWZ3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SRVVNXCNTNMPCIAZIVR4FAGYCSU53FNA/mitrevendor-advisoryx_refsource_FEDORA
- github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3mitrex_refsource_CONFIRM
- github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4mitrex_refsource_MISC
- github.com/adrienverge/openfortivpn/issues/536mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.