The open-source VPN software OpenVPN has patched three significant vulnerabilities in OpenVPN 2.6.11, released on June 21, 2024. While the initial announcement mentioned security fixes, the severity of these vulnerabilities has only recently disclosed in detail.
The most critical flaw, tracked as CVE-2024-5594, allows attackers to inject arbitrary data into third-party executables or plugins. This vulnerability, with a CVSS score of 9.1, could be exploited by a malicious OpenVPN peer to execute code or cause denial-of-service conditions.
“OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins,” explains the vulnerability description.
Another vulnerability, CVE-2024-4877, specifically affects Windows users. This flaw could allow attackers to steal user credentials by exploiting a weakness in the OpenVPN GUI’s interactive service pipe.
“A malicious process with ‘some’ elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking OpenVPN GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as,” warns the report.
The third vulnerability, CVE-2024-28882, allows authenticated clients to maintain a connection to the server even after the server has initiated a disconnect. This could be abused to maintain unauthorized access or disrupt server operations.
The OpenVPN project addressed all three vulnerabilities in version 2.6.11, released on June 21, 2024. Users of OpenVPN are strongly encouraged to update to this version or later to protect themselves from potential attacks.
