CVE-2024-28882: OpenVPN in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session
only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client.
Affected versions: 2.6.0 until 2.6.10 (inclusive)
References
- Release notes: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html
- CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28882
- Reported by: Reynir Björnsson
Last modified 6 months ago
Last modified on 07/09/24 12:18:29