OpenVPN Addresses False Zero-Day Claims, Releases Security Patches

OpenVPN, a leading provider of virtual private network (VPN) solutions, has refuted claims of zero-day vulnerabilities in its OpenVPN2 software, alleged to allow an attack named OVPNX. These claims, made in an announcement for an upcoming Blackhat presentation, were based on a misunderstanding of the term “zero-day.”

A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch. However, the vulnerabilities in question (CVE-2024-27903, CVE-2024-27459, CVE-2024-24974) were responsibly disclosed to OpenVPN and patches were released in March 2024, well before the Blackhat announcement.

• CVE-2024-27903: This vulnerability concerns the loading of plugins from untrusted installation paths, which could be exploited via a malicious plugin targeting openvpn.exe.
• CVE-2024-27459: This vulnerability involves a potential stack overflow in the interactive service component, which might lead to local privilege escalation.
• CVE-2024-24974: This vulnerability prevents remote access to the interactive service pipe, which could otherwise be a potential attack vector.

While not zero-days, the vulnerabilities are still serious, potentially allowing attackers to exploit OpenVPN’s interactive service component on Windows systems. This could lead to privilege escalation or even remote code execution in certain scenarios.

OpenVPN acted swiftly to address the vulnerabilities after they were responsibly disclosed by security researcher Vladimir Tokarev. The company’s proactive response demonstrates its commitment to user security and responsible disclosure practices.

OpenVPN has released updated versions (2.6.10 and 2.5.10) that address these vulnerabilities. Users are strongly encouraged to update immediately. Additionally, following security best practices, such as using strong passwords and limiting user privileges, can further enhance your security posture.