CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin

win32: Enforce loading of plugins from a trusted directory

Currently, there's a risk associated with allowing plugins to be loaded from any location. This update ensures plugins are only loaded from a trusted directory, which is either:

• HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing, then HKLM\SOFTWARE\OpenVPN, which is installation directory)
• System directory

Loading from UNC paths is disallowed.

References

• Release notes: ​https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html
• CVE record: ​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27903
• Reported by: Vladimir Tokarev <​vtokarev@…>