CVE-2024-5594

CVE-2024-5594 is a vulnerability in OpenVPN versions prior to 2.6.11 that stems from improper sanitization of PUSH_REPLY messages. An attacker controlling the OpenVPN server can exploit this flaw to inject unexpected arbitrary data, which ends up in the client logs. The issue is classified under CWE-1287 (Improper Validation of Specified Quantity in Input) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

The attack requires an adversary to control the OpenVPN server, with no privileges, user interaction, or special conditions needed beyond network access. Exploitation allows the injection of arbitrary data into client-side logs, potentially enabling log poisoning, exposure of sensitive information through crafted payloads, or disruption of log integrity for forensic analysis.

Advisories recommend upgrading to OpenVPN 2.6.11 or later to mitigate the vulnerability, as detailed in the official OpenVPN wiki at https://community.openvpn.net/openvpn/wiki/CVE-2024-5594. Additional guidance appears in the OpenVPN users mailing list at https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html and Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html, which cover patched packages for affected distributions.