Introduction
This page lists all security announcements made by the OpenVPN project.
Announcements
- CVE-2024-28882: OpenVPN in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session (June 2024)
- CVE-2024-5594: control channel: refuse control channel messages with non-printable characters in them (June 2024)
- CVE-2024-4877: Windows: A malicious process may spoof the interactive service and potentially impersonate a local user (June 2024)
- CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation (Mar 2024)
- CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers (Mar 2024)
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin (Mar 2024)
- CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket (Mar 2024)
- CVE-2023-7235: OpenVPN 2.x GUI privilege escalation possible if installed outside default installation path on Windows (Feb 2024)
- CVE-2023-6247: PKCS#7 parser in OpenVPN 3 Core Library can result in NULL-dereference (Feb 2024)
- CVE-2023-46850: Incorrect use of send buffer can cause memory to be sent to peer (Nov 2023)
- CVE-2023-46849: Use of --fragment option can lead to a division by zero error which can be fatal (Nov 2023)
- TunnelCrack: LocalNet and ServerIP attacks on insecure networks (Oct 2023)
- CVE-2022-0547: Potential authentication by-pass with multiple deferred authentication plug-ins
- CVE-2021-3547: OpenVPN 3 Core library 3.6 and 3.6.1 possible certificate authentication bypass with --verify-x509-name
- CVE-2021-3606: OpenVPN 2.5.2 (Windows only) may load an external OpenSSL configuration file
- CVE-2020-15078: partial information leak upon unauthorized client reconnection (Apr 2021)
- DUHK attack: ANSI X9.31 RNG and Don't Use Hard-coded Keys (Oct 2017)
- Code execution and Privilege escalation problems with NSIS installers (Sep 2017)
- CVE-2017-12166: out of bounds write in key-method 1 (Sep 2017)
- Unquoted service paths in OpenVPN 2.4 Windows installers
- Vulnerabilities fixed in OpenVPN 2.3.17 and 2.4.3 (June 2017)
- Quarkslab and Cryptography Engineering audits (May 2017)
- Linux kernel, UDP packets and MSG_PEEK (CVE-2016-10229) (April 2017)
- OpenVPN and SWEET32 (Aug 2016)
- Tap-windows6 buffer overflow vulnerability (May 2016)
- Vulnerabilities fixed in OpenSSL 1.0.1m (Mar 2015)
- Security announcement: The FREAK vulnerability (Mar 2015)
- Security announcement: critical denial of service vulnerability (CVE-2014-8104) (Nov 2014)
- Vulnerabilities fixed in OpenSSL 1.0.1j (Oct 2014)
- Vulnerabilities fixed in OpenSSL 1.0.1i (Aug 2014)
- OpenSSL CCS Injection Vulnerability (CVE-2014-0224) and OpenVPN (Jun 2014)
- OpenSSL 'Heartbleed' vulnerability and OpenVPN (Apr 2014)
- TLS Triple Handshake Vulnerability and OpenVPN (Mar 2013)
- Security announcement: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt (CVE-2013-2061) (Mar 2013)
Last modified 5 months ago
Last modified on 07/09/24 12:20:29