CVE-2021-3606

Name of the Vulnerable Software and Affected Versions OpenVPN versions prior to 2.5.3

Description The issue is related to errors in the path search mechanism of the OpenSSL library in OpenVPN software. Exploitation of this issue may allow an attacker to execute arbitrary code. Local users can load arbitrary dynamic loadable libraries via an OpenSSL configuration file, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process.

Recommendations For versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenSSL configuration file to minimize the risk of exploitation.