Reporting Vulnerabilities

Vulnerabilities can be reported to [email protected], the GPG key below is also available for encrypting these reports.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFRz3l4BEADGrknw80TFkQjMljuPC4qYhzLPOSC/FQYFWcQB+63fRXiZ/FDF
0X2FddrXno8UA3aV/+5Z/S4VXh4aNTCB0rBzLs9FiALOz6iEnloA3H7QkGmNGgSO
v2+WaIDHftmfmLw3FKx2NY5SUhOuGjrf5I34D8PxQ8hSshx0ng75BGo9iZdoT6FL
5T7HjJGdzzpF0pZ/Kyd/YY/Nb/gOfSPk/KeAq0Nnb3P2oW+uuGm2p4rzrxHFkmJN
4NNkiY/Zvx56bnXCwb6eLFxFlCH2si/GhBdHDfYvedFdw53cFA2KQ4BJ+OsufH2s
mHthL+ldjvkFPGpD8Tg8AM4mUQ1cDd5OoBVsdFlQVzT+CbobXRcXXFWTPzN5DB2l
qDzGnIPtoje/dPM3DxpZpGbI3h+12CIcr8bdTg2wmZhoF8hT7qTg67HoIdvFXLJ9
DY4UG4FfIAJoAFONBdavijitkwihFF85N5Reu7D1C/bedEfu4g+p1P+xc29SHtJX
TLiyNF4wkGi/SEw9A6eK/w8rvboZS4V/K5HrwZdYHejBs/H/WxBRPtASeWfYjymv
KdKEyngH0C4KNUXAPEt2STgoSdS9Zmj3SHf08fv0PfBtla9LzOP3linbuHlLSbj5
XIBZ7jW8qZm+kcg5ejS+vOcdp273cP08vRNbyy9Ak9DnXgouDmKx6aeyLwARAQAB
tB9aYWNoYXJ5IEh1ZmYgPHphY2hAcHJpdHVubC5jb20+iQI5BBMBAgAjBQJUc95e
AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQtL4hyJCWfD4jYRAArzLY
snOBRouELnnQuEaBtr+0kwManbvJbRzflwIPKGNzk0KHnxVJ8mY7L4GfQ4qlXerD
VSONY8Bw5+YjPwBYr8XhRcySITxZV7Oz4WSY/PHQJ4WXXIV+oiTx4p2gxLl3GLRL
ctq7lfvjdCenL9c1+MJ5MW3NVN9KYyN7/s8qiCxJLWsGSl09NfqS3H760b3ceuYk
XZLyp1YQ2lOFsVukbiAlBULnWK5Ulo9yujR+D0lHztRRXPGJq2tN+arSX967f4cz
mwblt0D/xRsu1C1JGNJBPZb9mP9edvczTXnzjQdZCX86kbjUh8F7N15adV0KnUZE
uBF2TL2y8F3PfzWQx1X25PK3yJzz7w2X/ka30AgKW/WLM0Dkb8qRPOzve1o7gsfx
0Cpl6hK7KSOo5CQhKZUuqHd58OkB6TE2jGjLi4V93CmxPJWJINwNnXEnz01l9Mp/
o+7HeCXMx9WV129bdAdwrD23MxJAEcrNuvBeDRUNquJV0ovM4DDV68ABw9TRxOhA
39cL1BmFw0GLZibs6Ipu/5Ft63sX7i/c/8XMi1aaE6hp5amBSKQw99nL9ASaDTBd
b0Sl990N0MrD49ZMVcT5GAzBO4kfEorskR1i0B6EaabS59TNKjFW5ciY5e/qbo4o
MlG7+R8AePYSuBVjAkSGFyk+7S6T+raFApa6B8m5Ag0EVHPeXgEQAMEKF58+T1V8
Bu07i7uvxJNwOIVKmJIZJ/F8qEgiu3Wg+l7oG70oaA8Our27IlhRPs1UyD6QX2lU
/4pB/Y/H5JTA8hHY41NnYQ7qX/LjKDwESbAr2kZCZoOKK2x1qAivDMWsUD2CHAXQ
3rh6ES5eCQuXpKtRg/imZSwYoAtPMIbo9+ak8KgovxR2557TEa75MeBPcjCarmvl
LDUxogDOECR4zdwJoZDH7we1RmorXVdhBKwqTeYpd/zKqiUPQeThlG/Z24CvGg3M
bEFvTWw6rCE6HQ7cwsrk2ypCAwN8n5r56tNxq4BJC+/lEwk9JV1uuX/kDKSwCMWM
uYM00vC+q4kyWZa7F2l494v6rBkxZu4xN9vXY6XGdBPjRPkJkjkawEFHpNSeQzIQ
xUTLuwav+KcluapKyuJFGs35IxV8gvVedcFVKIluRLfhBKX8qGpHhYAzPpWMumxX
zr3SCHyr5z1fsyvvK2JxkDQc8SrqrxyXNAMJX6UFgRm0K/EVIAmklMVwgRZD86sv
8H+yFnY+2N+Ay6+z8hKP3xxEfAx+tdoYbHM5RHOi/k/b0sMb/5eAanDlvDvYStGp
+To3zYUeExm/wwTVgElYjjQ4bcBT/q/EFpyKT17A8p9anUFv8Gl96FC6x3wcTK7w
v6QIXCsCmZuwdcE0ahSOEG/fdVHxKlDnABEBAAGJAh8EGAECAAkFAlRz3l4CGwwA
CgkQtL4hyJCWfD6B3RAAtRmeNr05uYcgpndKpCMoE+lSGNnum1gfev4ThymXWHMl
z8yCTFEDG0+b5QcxaaESFgf3Op0MwDkK3W+39lab6x4X8cqTLBSZEJL5YvpHytzg
f8wQnTJdy3xTTTMjtR0VyxeCJ26tsra5lg1LHkqNdOyODYZGzvYD1tTWUJ4odqxm
dvtXqhA3AkxRCLY4pDQ5ayyeR1PC9jtIfSCa1Bd45hrnObTiYdf4/VVGProaVID5
vkEQ8m9hejeYOOyPmrFxlNCfWnft+L8NfsOHG1ynCf2Cjm4bm0KE3aHZB9bR8Vc4
v1zWGQOId7CKjsaBQly6JvVpXCjVd06pUYkoZcC4dhpeMKJmDUsdSl/oL3ia/ZEv
QdrVKRxNa6guevwljn+StohONRQ6qMGhfKz35I38SAnDuP4Y0Bcu2POh3YtF9ps0
NtIpU/GHcV0DH9+99XljdLN8VucrAhn2oDoUFQobqt6SSMK1rW3LK1zU6eeeaep+
Fdz7ca84K+z4yQa80zIYRxi91KZi3WTF1Ec5m/Si4aJmJjcDSd0s8ZJk2Tk19Zes
/Fa61r2eWuhCWVMOYBxB4zMjDklhQOciQ4JduZSoc/i1kiZxViUawyLWWQBdRlOp
02CXB0A1aZjX01SJuLIB3utVhMOw4sLQXhlkMKukyoJJ7F0hagT73R+Hrr60v+Q=
=+Yd3
-----END PGP PUBLIC KEY BLOCK-----

Pritunl - CVE-2020-25200

The CVE-2020-25200 is not valid and was submitted MITRE despite informing the author of the CVE that it is not a vulnerability. The Pritunl server has a rate limit attached to each administrator user, if more then 20 login attempts are made on a user that user is locked for a timeout. When this occurs the response message on the login changes from Authentication credentials are not valid to Too many authentication attempts. If an invalid administrator username is entered the response will always be Authentication credentials are not valid. There is no intention to not disclose if an administrator username is valid or not. Timing attacks would likely be far more effective at discovering if a username is valid or not and this method requires 20 requests to determine if a username is valid or not. There is little to no security risk from the server disclosing if a username is valid. Even if this web response was changed to not disclose the username validity timing attacks remain a possibility. Given the unpredictable latency from the user configured database and hosting environment it would be difficult and resource intensive to completely eliminate any possibility for the server to not disclose if a username is valid through timing.