CVE-2022-3761

Name of the Vulnerable Software and Affected Versions OpenVPN Connect versions before 3.4.0.4506 (macOS) OpenVPN Connect versions before 3.4.0.3100 (Windows)

Description The issue is related to errors in the certificate authentication procedure, allowing a remote attacker to perform a man-in-the-middle attack. This can lead to the interception of configuration profile download requests, which may contain user credentials.

Recommendations For OpenVPN Connect versions before 3.4.0.4506 (macOS), update to version 3.4.0.4506 or later. For OpenVPN Connect versions before 3.4.0.3100 (Windows), update to version 3.4.0.3100 or later. As a temporary workaround, consider restricting access to sensitive configuration profiles until a patch is applied.