SB2025010818 - Cleartext storage of private key in OpenVPN Connect on Android

Description

This security bulletin contains information about 1 vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-8474)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to application writes the configuration profile's clear-text private key in the application log. A local application installed on the device can read the log file and gain obtain the OpenVPN private key. This key can be used to decrypt traffic between client and the VPN server.

Remediation

Install update from vendor's website.

References

• https://openvpn.net/connect-docs/android-release-notes.html
• https://github.com/advisories/GHSA-qcg2-98h8-485j
• https://openvpn.net/security-advisories/#f4fbdfc0e644bef3c962880f02716c5c