This fixes a security issue that has been the "master" branch for a few months (not in any released 2.5 or 2.6 version), including 2.7_beta1.
To exploit this, a client needs to be using --dns-updown on an unix OS, and needs to connect to a server that presents a trusted certificate and then sends a PUSH_REPLY with malicious intent. Alternatively, if the client is on Windows, you need to run openvpn.exe without using the interactive service (because the unsave powershell call only happens in the "fallback" code in openvpn itself). The problematic code in windows is much more recent (replacement of wmic.exe with powershell), but the fix is the same - sanitize input data. In other words: do not use a "devel" OpenVPN with --dns-updown without this patch, do not run a recent openvpn.exe without iservice, unless you trust the server operator. The actual validation code is the same as in 2.6 in commit 6c3afe508b15, so it has already been tested quite a bit (the CVE is only in master). Thanks to Stanislav Fort <[email protected]> for reporting this to [email protected]. CVE 2025-10680 has been assigned to track and document this. Your patch has been applied to the master branch. commit 3a66045b407321c9d1c096227db164df3955ab40 Author: Lev Stipakov Date: Wed Sep 24 22:15:56 2025 +0200 Validate DNS parameters Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1213 Message-Id: <[email protected]> URL: https://sourceforge.net/p/openvpn/mailman/message/59238367/ Signed-off-by: Gert Doering <[email protected]> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
