Changes between Version 1 and Version 2 of CVE-2024-4877
- Timestamp:
- 06/26/24 13:15:48 (3 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CVE-2024-4877
v1 v2 3 3 interactive.c and OpenVPN-GUI for Windows: 4 4 5 If an attacker with !SeImeprsonatePrivilege manages to create a namedpipe server with a name matching that used by the "Interactive Service", UIs such as OpenVPN-GUI connecting to it could allow the attacker to impersonate the user running the UI.5 If an attacker with !SeImeprsonatePrivilege manages to create a namedpipe server with a name matching that used by the "Interactive Service", user interfaces such as OpenVPN-GUI connecting to it could allow the attacker to impersonate the user running the UI. 6 6 7 7 To address this, we harden the security of the pipe, making it possible only for processes running as SYSTEM (such as the interactive service) create the pipe with the same name. Further, to protect against any such pipes created prior to startup of the service, clients of the service must match the PID of the pipe server with that of the service. This is implemented in OpenVPN-GUI for Windows.