Another reason to shift away from OpenVPN as a protocol. Wireguard is just better.
4 Likes
Important:
All the vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials
In the end, there is always going to be a vilnerability. Wireguard or others. You choose based on features.
I wend openvpn in the past due to broad availability of client devices across os. Wireguard was not up to par at that time. Recently migrated yo tailscale, this close one port and also allow finer control on who has access to what with the easy built-in acl configuration.
I think the article is slightly poorly written. You can exploit all 4 with user’s credentials, but not having their credentials does not mean you cannot exploit any. Almost all of them can be exploited both before and after some external exploit. Like the cited CVE-2024-27903 is a side-channel opening that can be exploited without credentials by malicious plugins. Similarly CVE-2024-24974 can be exploited after someone has remote access to your system (can be a problem when threat model is stopping a rogue employee using shared systems, or IT admins managing end points. It can also be used if Intel ME/vPro platform is exploited).
1 Like