CVE-2024-8474

CVE-2024-8474 is a vulnerability in OpenVPN Connect versions prior to 3.5.0, where the configuration profile's clear-text private key can be logged in the application log. This exposure of sensitive cryptographic material, classified under CWE-212 (Improper Removal of Sensitive Information before Storage or Transfer), allows unauthorized access to the private key. The issue received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.

An attacker with access to the application's logs can extract the clear-text private key from the logged configuration profile. No privileges, user interaction, or special conditions are required, enabling remote exploitation over the network with low complexity. Successful exploitation grants the ability to decrypt VPN traffic protected by that key, potentially exposing sensitive data in transit.

Mitigation is addressed in OpenVPN Connect version 3.5.0, as detailed in the official Android release notes at https://openvpn.net/connect-docs/android-release-notes.html. Security practitioners should upgrade to version 3.5.0 or later and review logs for exposed keys, ensuring proper handling of configuration profiles to prevent similar logging issues.