CVE-2024-24974
Published: 08 July 2024
Summary
CVE-2024-24974 is a high-severity Improper Restriction of Communication Channel to Intended Endpoints (CWE-923) vulnerability in Openvpn Openvpn. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability affects the interactive service component in OpenVPN versions 2.6.9 and earlier. It stems from improper access controls on the OpenVPN service pipe, which can be reached remotely and permits interaction with the privileged interactive service. The issue is tracked under CWE-923 and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and high confidentiality impact without requiring authentication.
A remote attacker with no credentials or user interaction can connect to the exposed service pipe and interact directly with the privileged OpenVPN interactive service. This exposure enables the attacker to obtain sensitive information from the affected system while leaving integrity and availability unaffected.
The EPSS score has remained flat at 0.1109 with no material increase since disclosure. Official advisories and additional technical details are available from the OpenVPN project at the referenced community and security-advisory URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22337
Vulnerability details
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Authorizing wireless access restricts the wireless communication channel to only intended endpoints.
Approving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems.
Limits physical connectivity to transmission channels, supporting restriction of communication paths to only intended endpoints.
Requiring providers to meet communication-channel restrictions and monitoring adherence reduces improper restriction of channels to intended endpoints.
Mandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths.
Explicit control of VoIP traffic forces organizations to restrict communication channels to only intended endpoints and protocols.
Explicit internal/external separation restricts name-resolution channels to their intended communication endpoints.
Enforces that the wireless communication channel is usable only by intended endpoints, addressing improper channel restriction.