Bugzilla – Bug 1227512
VUL-0: CVE-2024-27903: openvpn: plugins used to interact with the privileged OpenVPN interactive service can be loaded from untrusted installation paths
Last modified: 2024-07-08 12:58:19 UTC
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. References: https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/ https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27903 https://www.cve.org/CVERecord?id=CVE-2024-27903 https://community.openvpn.net/openvpn/wiki/CVE-2024-27903
As per [0]: "It's important to note that this issue is specific to Windows and is not all that easy to exploit". Therefore, this bug will be closed as we are seemingly not affected by this vulnerability. [0] https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/