-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello!
There are several vulnerabilities in the Windows version of OpenVPN and
OpenVPN-NL. The vulnerabilities are as follows (descriptions copied from
(https://openvpn.net/community-downloads/):
* CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege
escalation. Reported-by: Vladimir Tokarev <vtokarev(a)microsoft.com>
* CVE-2024-24974: Windows: disallow access to the interactive service
pipe from remote computers. Reported-by: Vladimir Tokarev
<vtokarev(a)microsoft.com>
* CVE-2024-27903: Windows: disallow loading of plugins from untrusted
installation paths, which could be used to attack openvpn.exe via a
malicious plugin. Plugins can now only be loaded from the OpenVPN
install directory, the Windows system directory, and possibly from a
directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
Reported-by: Vladimir Tokarev <vtokarev(a)microsoft.com>
* CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in
TapSharedSendPacket.
Reported-by: Vladimir Tokarev <vtokarev(a)microsoft.com>
We are in the process of preparing an OpenVPN-NL release to fix these
vulnerabilities. Note that the local privilege escalations mentioned
above require unprivileged users to edit OpenVPN plugin files. Please
ensure that if you run OpenVPN-NL with plugins, non-admin users cannot
edit those plugin files.
I will let you now when we have the new release ready.
Best regards,
Max Fillinger
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEXj3Vjj5AbsDlPfHO5IsYow7qaagFAmX7OXUACgkQ5IsYow7q
aahM4gv/T8sZ1gl3UErBMR/vuYiflbLkzObR4sGwC/Z3lpnUwDrmv2zyVBoWY9+o
F+ug22LYMPaMuJPzm9chu139vRcCaPRo7/aRLk+kp6jeQ/LeENSwsvo4rB6DjKKJ
phTS7jxftDI0aiJCH0UJVSA+b97YsM+BTEas25PpHdK+u45HlDgmr418F9Tvy8Pk
Prek492Dds6uDuDzpCxikcntFS9THeprwQ396cXq7UJN3JZzgyYOFrBB8xkmKWCa
6Kc/CNmO4N2r546GDG+6lc1DXjgKbNhPhb4SiFzLj10o4KqmQBwSmceC1CqrTFqI
yzTEoA+p4YYUGxLp0nWND8ZRR417US5qSfQ/fjsOPYKIlwIiH/8csieZ2Do5zbjo
3FHMXOuQkQUuZSKeEfdxhwkKRLveS0ctfATIbFStNc/TjOJWqC3em1iBGzfBst/U
rNY2qd/afSV1xGNXWt1eFZLFUPpjHtIf1C7yTJzt9EdLcCHTYRO9CV8CX634oBkm
zBUanAKt
=2usT
-----END PGP SIGNATURE-----
