Details of a vulnerability (CVE-2024-5594) in a package for creating virtual private networks have been disclosed. OpenVPN, which could lead to the substitution of arbitrary data into third-party executable files or plugins on the other end of the connection. The vulnerability is caused by a lack of checks for null bytes and invalid characters when processing control messages such as PUSH_REPLY.
The issue has been fixed in the releases OpenVPN 2.5.11 and 2.6.11, released in June 2024. The release notes described the vulnerability as a minor issue causing garbage data to be written to the log or increased CPU load. In an update published a few days ago, the issue was upgraded to critical (severity level 9.1 out of 10).
Operation details are not yet provided. The fix is reduced to stopping processing messages with invalid characters and checking for invalid characters in the entire buffer, not just in the part before the zero byte. Checking for special characters and the zero byte has been added for the commands "AUTH_FAILED", "PUSH_*", "RESTART", "HALT", "INFO_PRE", "INFO", "CR_RESPONSE", "AUTH_PENDING" and "EXIT".
Source: opennet.ru
