Re: [Openvpn-users] OpenVPN and CWE-316?

2024-08-13 Thread Gert Doering
Hi, On Tue, Aug 13, 2024 at 08:14:23PM -0400, Selva Nair wrote: > Nonetheless, on Windows, we could easily add CryptProtectMemory() with > SAME_PROCESS access for good measure, especially for those who cannot use > "--auth-nocache". That will also add some protection to proxy passwords > which are

Re: [Openvpn-users] OpenVPN and CWE-316?

2024-08-13 Thread Selva Nair
On Tue, Aug 13, 2024 at 7:02 PM David W Graham wrote: > CryptProtectMemory function (dpapi.h) > > "The CryptProtectMemory function encrypts > memory > to prevent others from viewing sensitive information in your process. For > exa

Re: [Openvpn-users] OpenVPN and CWE-316?

2024-08-13 Thread David W Graham
CryptProtectMemory function (dpapi.h) "The CryptProtectMemory function encrypts memory to prevent others from viewing sensitive information in your process. For example, use the CryptProtectMemory function to encrypt memory that co

Re: [Openvpn-users] OpenVPN and CWE-316?

2024-08-13 Thread Gert Doering
Hi On Tue, Aug 13, 2024 at 12:57:49PM +0200, Jakob Curdes wrote: > The original seccuvera article states that OpenVPN (I assume they mean the > Windows client) is "vulnerable" to this weakness and leaves data like > emails, passwords and 2FA codes in the main memory after the program is > closed.

[Openvpn-users] OpenVPN and CWE-316?

2024-08-13 Thread Jakob Curdes
Hello all, in Germany we are reading articles like this one: https://www.heise.de/news/Schwere-Luecke-bei-kritischen-Anwendungen-Klartextpasswoerter-im-Prozessspeicher-9830774.html https://www.secuvera.de/blog/studie-klartextpassworter-in-passwortspeichern/ which mentions CWE-316: "Cleartext S