SUSE update for openvpn

1) Resource exhaustion

EUVDB-ID: #VU92937

Risk: Low

CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-5594

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote peer to perform a denial of service (DoS) attack.

The vulnerability exists due to application accepts control channel messages with nonprintable characters. A remote peer can send garbage to openvpn log, or cause high CPU load.

Mitigation

Update the affected package openvpn to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

openvpn-auth-pam-plugin-debuginfo: before 2.3.8-16.35.1

openvpn-debuginfo: before 2.3.8-16.35.1

openvpn-debugsource: before 2.3.8-16.35.1

openvpn-auth-pam-plugin: before 2.3.8-16.35.1

openvpn: before 2.3.8-16.35.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended:Security:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:openvpn-auth-pam-plugin-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:openvpn-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:openvpn-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:openvpn-auth-pam-plugin:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:openvpn:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251053-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.