Reynir Björnsson

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions 2.6.0 through 2.6.10 **Description** The issue is related to OpenVPN's handling of exit notifications from authenticated clients in a server role. When multiple exit notifications are accepted, it can extend the validity of a closing session. This can potentially allow an attacker to keep a session active even after the server has been instructed to disconnect the client. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For OpenVPN versions 2.6.0 through 2.6.10, consider disabling the acceptance of multiple exit notifications from authenticated clients as a temporary workaround until a patch is available. Restrict access to the server role to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to 2.6.11 **Description** The issue is related to the lack of proper sanitization of PUSH REPLY messages, which can be exploited by attackers to inject unexpected arbitrary data into third-party executables or plug-ins. This can potentially impact the confidentiality, integrity, and availability of protected information. A malicious OpenVPN peer can send garbage to the OpenVPN log or cause a high CPU load by sending control channel messages with nonprintable characters. **Recommendations** For OpenVPN versions prior to 2.6.11, update to version 2.6.11 or later to eliminate the risk. As a temporary workaround, consider refusing control channel messages with nonprintable characters in them to minimize the risk of exploitation. Restrict access to the control channel to prevent malicious OpenVPN peers from sending garbage to the log or causing high CPU load. Avoid using the `PUSH REPLY` message until the issue is resolved.