diff options
| author | Meenali Gupta <meenali.gupta@windriver.com> | 2024-06-21 06:35:37 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-06-27 11:21:22 -0400 |
| commit | cfcc9f99456a4c51594eebb859621752ea0bd906 (patch) | |
| tree | d198bd88ab99313de338511829ff716b536d9f62 /meta-python/README | |
| parent | 38a07ce40ec6b167d135467aa9737c36a674b60e (diff) | |
| download | meta-openembedded-cfcc9f99456a4c51594eebb859621752ea0bd906.tar.gz | |
openvpn: fix multiple CVEs
CVE-2024-24974:
Previously, the VPN tool’s Windows implementation allowed remote access to
its service pipe, posing a security risk. Using compromised credentials, a
threat actor could communicate with OpenVPN to orchestrate attacks.
CVE-2024-27903:
OpenVPN has mitigated the risk by restricting plugin load. Plugins can
now only be loaded from the software’s install directory, the Windows
system directory, and the plugin_dir directory under the software’s installation.
CVE-2024-27459:
This vulnerability affects the interactive service component, potentially leading
to local privilege escalation when triggered by an oversized message.To mitigate
this risk, the VPN solution now terminates connections upon detecting excessively
large messages, preventing stack overflow exploits.
References:
https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
https://socradar.io/openvpn-fixed-multiple-vulnerabilities-on-windows/
https://community.openvpn.net/openvpn/wiki/CVE-2024-27903
https://community.openvpn.net/openvpn/wiki/CVE-2024-27459
https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/README')
0 files changed, 0 insertions, 0 deletions