Bug 1227510 (CVE-2024-24974)

Summary: VUL-0: CVE-2024-24974: openvpn: remote computers are allowed access to the OpenVPN interactive service pipe
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Rahul Jain <rahul.jain>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: camila.matos, max
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412988/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24974:6.6:(AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-08 12:33:40 UTC 
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24974
https://www.cve.org/CVERecord?id=CVE-2024-24974
https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
Comment 1 Camila Camargo de Matos 2024-07-08 12:35:06 UTC 
As per [0]: "It's important to note that this issue is specific to Windows and is not all that easy to exploit".

Therefore, this bug will be closed as we are seemingly not affected by this vulnerability.

[0] https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/