#VU12129 Double free memory error in OpenVPN for Windows - CVE-2018-9336

Cybersecurity Help s.r.o.

Published: 2018-04-24

Vulnerability identifier: #VU12129

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-9336

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenVPN for Windows
Client/Desktop applications / Software for system administration

Vendor: OpenVPN

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to double-free memory error in Interactive Service. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation
Update to version 2.4.6.

Vulnerable software versions

OpenVPN for Windows: 2.4.0 - 2.4.5

External links
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Double free memory error in openvpn (Alpine package)

OpenSUSE Linux update for openvpn

Slackware Linux update for openvpn

Denial of service in OpenVPN