CVE-2023-7245

Name of the Vulnerable Software and Affected Versions OpenVPN Connect versions 3.0 through 3.4.3 (Windows) OpenVPN Connect versions 3.0 through 3.4.7 (macOS)

Description The issue is related to the nodejs framework in OpenVPN Connect, which was not properly configured. This configuration issue allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON RUN AS NODE environment variable. The vulnerability is also described as being related to the failure to neutralize instructions in dynamically executed code, which can allow an attacker to execute arbitrary code.

Recommendations For OpenVPN Connect versions 3.0 through 3.4.3 (Windows), update to a version later than 3.4.3. For OpenVPN Connect versions 3.0 through 3.4.7 (macOS), update to a version later than 3.4.7. As a temporary workaround, consider restricting access to the ELECTRON RUN AS NODE environment variable to minimize the risk of exploitation.