2025-01-12 05:49:07 Pacfic
OpenVPN Vulnerabilities Expose Private Keys - 4d
A critical security vulnerability, identified as CVE-2024-8474, has been discovered in the OpenVPN Connect application. This flaw affects versions prior to 3.5.0, and stems from the application logging the user's private key in clear text within the application log. A malicious actor who gains access to a device running a vulnerable version of OpenVPN Connect could potentially extract this private key, using it to decrypt the user's VPN traffic. This vulnerability makes VPN protection completely ineffective. OpenVPN Connect is a widely used client application, boasting over 10 million downloads on the Google Play Store, making it vital for users to be aware of this threat.
To address this, OpenVPN has released version 3.5.1, which fixes the key leakage vulnerability. While this latest update also addresses a separate app stability issue, users are strongly encouraged to update as soon as possible to ensure their protection. As a precautionary step it's recommended users check application logs for any suspicious activity if they were using a vulnerable version, and to change their VPN usernames and passwords. The OpenVPN Connect app itself requires users to connect to a separate VPN server. Users should remain vigilant for potential security risks and make it a habit to keep software updated.
ImgSrc: securityonline.info
References:
- @cR0w - OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traff - 4d
- securityonline.info - CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys - 4d
- Vulnerability Archives ? Cybersecurity News - CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys - 4d
- nvd.nist.gov - OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traff - 4d
Classification:
- HashTags: OpenVPN Vulnerability PrivacyBreach
- Company: OpenVPN
- Target: OpenVPN Users
- Product: OpenVPN Connect
- Feature: Private Key Exposure
- Type: Vulnerability
- Severity: Major