Bug 1227510 (CVE-2024-24974) - VUL-0: CVE-2024-24974: openvpn: remote computers are allowed access to the OpenVPN interactive service pipe
Summary: VUL-0: CVE-2024-24974: openvpn: remote computers are allowed access to the Op...
Status: RESOLVED INVALID
Alias: CVE-2024-24974
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Rahul Jain
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412988/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24974:6.6:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-08 12:33 UTC by SMASH SMASH
Modified: 2024-07-08 12:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-08 12:33:40 UTC 
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24974
https://www.cve.org/CVERecord?id=CVE-2024-24974
https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
Comment 1 Camila Camargo de Matos 2024-07-08 12:35:06 UTC 
As per [0]: "It's important to note that this issue is specific to Windows and is not all that easy to exploit".

Therefore, this bug will be closed as we are seemingly not affected by this vulnerability.

[0] https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/