CVE-2024-28882

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions OpenVPN versions 2.6.0 through 2.6.10

Description The issue is related to OpenVPN's handling of exit notifications from authenticated clients in a server role. When multiple exit notifications are accepted, it can extend the validity of a closing session. This can potentially allow an attacker to keep a session active even after the server has been instructed to disconnect the client. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For OpenVPN versions 2.6.0 through 2.6.10, consider disabling the acceptance of multiple exit notifications from authenticated clients as a temporary workaround until a patch is available. Restrict access to the server role to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Release of Resource after Effective Lifetime

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-772

Related Identifiers

ALT-PU-2024-10642

ALT-PU-2024-10859

ALT-PU-2024-10885

BDU:2024-06537

CVE-2024-28882

OESA-2024-1840

OPENSUSE-SU-2024:14436-1

OPENSUSE-SU-2024_3502-1

SUSE-SU-2024:3502-1

SUSE-SU-2024:3532-1

SUSE-SU-2024_3502-1

SUSE-SU-2024_3532-1

USN-6860-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Openvpn

Red Os

Suse

Ubuntu

CVE-2024-28882

Weakness Enumeration

Related Identifiers

Affected Products

References · 36