Main Vulnerability Database SB2025010818

SB2025010818 - Cleartext storage of private key in OpenVPN Connect on Android

Published: January 8, 2025 Updated: February 5, 2025

Security Bulletin ID SB2025010818

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-8474)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to application writes the configuration profile's clear-text private key in the application log. A local application installed on the device can read the log file and gain obtain the OpenVPN private key. This key can be used to decrypt traffic between client and the VPN server.

Remediation

Install update from vendor's website.

References

https://openvpn.net/connect-docs/android-release-notes.html
https://github.com/advisories/GHSA-qcg2-98h8-485j
https://openvpn.net/security-advisories/#f4fbdfc0e644bef3c962880f02716c5c