OpenVPN has rolled out version 2.6.10, focusing on bug fixes and enhancements tailored specifically for the Windows Platform. This update also addresses four vulnerabilities, including a privilege escalation flaw (CVE-2024-27459) discovered by Microsoft researcher Vladimir Tokarev. The vulnerability analysis reveals that CVE-2024-27459, related to privilege escalation, stems from a stack overflow vulnerability in the interactive service component of the OpenVPN application, posing potential risks of local privilege escalation on vulnerable devices.
Furthermore, OpenVPN has addressed vulnerabilities such as CVE-2024-24974, which could be exploited to deny access to the interactive service pipe from remote computers, and CVE-2024-27903, enabling threat actors to block the loading of plugins from untrusted installation paths. Notably, CVE-2024-1305 highlights a vulnerability associated with the Windows TAP driver used by VPN services, although additional details about this specific flaw are pending publication by OpenVPN.
To mitigate potential exploitation risks, organizations and users are strongly advised to upgrade their OpenVPN applications to the latest version promptly. By doing so, they can leverage the enhanced security measures implemented in version 2.6.10 and protect against potential threats posed by the identified vulnerabilities.
