| 1 | = CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers |
| 2 | |
| 3 | interactive.c: disable remote access to the service pipe |
| 4 | |
| 5 | Remote access to the service pipe is not needed and might be a potential attack vector. |
| 6 | |
| 7 | For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. |
| 8 | |
| 9 | === References |
| 10 | * Release notes: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07534.html |
| 11 | * CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24974 |
| 12 | * Reported by: Vladimir Tokarev <vtokarev@microsoft.com> |