CVE-2024-8474: OpenVPN Connect Vulnerability Leaks Private Keys

https://nvd.nist.gov/vuln/detail/CVE-2024-8474

https://github.com/advisories/GHSA-qcg2-98h8-485j

For clarification:

This is not related to OpenVPN running on IPFire.

It is related to the OpenVPN Connect for Android client software.

Open VPN Connect from 3.5.0 onwards is not affected.

As far as I can see OpenVPN Connect for Android is the only client version affected.

The CVE is not mentioned in the OpenVPN Connect client release notes for Windows, macOS or iOS.

It also only occurs if the android phone user is doing debugging with Android Debug Bridge (ADB) tools.

4 Likes

Yes, this looks like a relatively minor CVE which can only be exploited under exceptional circumstances.

But keeping all VPN clients’ software up-to-date is always wise regardless.

Thanks,
A G

2 Likes