Hello all,
in Germany we are reading articles like this one:
https://www.heise.de/news/Schwere-Luecke-bei-kritischen-Anwendungen-Klartextpasswoerter-im-Prozessspeicher-9830774.html
https://www.secuvera.de/blog/studie-klartextpassworter-in-passwortspeichern/
which mentions CWE-316: "Cleartext Storage of Sensitive Information in
Memory"
(I could not find an english discussion about openvpn, but reddit has
this:
https://www.reddit.com/r/1Password/comments/1eqdllw/cwe316_cleartext_storage_of_sensitive_information/?rdt=39150)
The original seccuvera article states that OpenVPN (I assume they mean
the Windows client) is "vulnerable" to this weakness and leaves data
like emails, passwords and 2FA codes in the main memory after the
program is closed. I have not tested this myself so I canot say if that
is true.
If it is true, is this already known and could it be addressed somehow?
Some password managers that have also been tested seem to clear all
these data when the program is closed.
Regards, Jakob
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
