CVE-2024-5594

Name of the Vulnerable Software and Affected Versions OpenVPN versions prior to 2.6.11

Description The issue is related to the lack of proper sanitization of PUSH REPLY messages, which can be exploited by attackers to inject unexpected arbitrary data into third-party executables or plug-ins. This can potentially impact the confidentiality, integrity, and availability of protected information. A malicious OpenVPN peer can send garbage to the OpenVPN log or cause a high CPU load by sending control channel messages with nonprintable characters.

Recommendations For OpenVPN versions prior to 2.6.11, update to version 2.6.11 or later to eliminate the risk. As a temporary workaround, consider refusing control channel messages with nonprintable characters in them to minimize the risk of exploitation. Restrict access to the control channel to prevent malicious OpenVPN peers from sending garbage to the log or causing high CPU load. Avoid using the PUSH REPLY message until the issue is resolved.