CVE-2024-27459
Published: 08 July 2024
Summary
CVE-2024-27459 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openvpn Openvpn. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-27459 is a stack-based buffer overflow in the interactive service component of OpenVPN 2.6.9 and earlier. It is tracked under CWE-121 and CWE-787 and can be triggered by an attacker sending crafted data, resulting in arbitrary code execution with elevated privileges. The flaw received a CVSS 3.1 base score of 7.8 reflecting local attack vector, low complexity, and low privileges required.
A local attacker with low privileges can send data to the interactive service to trigger the overflow and execute arbitrary code with higher privileges, impacting confidentiality, integrity, and availability without requiring user interaction.
OpenVPN has published advisories covering this issue together with related CVEs at the referenced community wiki and security advisory pages, which include guidance on affected versions and remediation steps. The EPSS score has remained flat at 0.0542 with no material rise observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24657
Vulnerability details
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.