Ubuntu Fixes Two OpenVPN Vulnerabilities
Two vulnerabilities were discovered in openvpn, a virtual private network software which could keep the closing session active or result in denial of service. Canonical released security updates to address these vulnerabilities in affected Ubuntu releases. These include Ubuntu 24.04 LTS, Ubuntu 23.10, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS.
Let’s look at the details of these vulnerabilities and learn how to stay secure.
OpenVPN Vulnerabilities Fixed in Ubuntu
CVE-2024-28882
It was found that OpenVPN in a server role accepts multiple exit notifications from authenticated clients. This oversight allows a remote authenticated client to keep the connection active and extend the validity of a closing session. This vulnerability only affected Ubuntu 23.10, and Ubuntu 24.04 LTS.
CVE-2024-5594
This vulnerability involves the incorrect handling of certain control channel messages with nonprintable characters. A remote attacker could possibly use this issue to cause OpenVPN to cause high CPU load, or fill up log files with garbage, leading to a denial of service.
How to Stay Secure
To protect your Ubuntu systems, it is crucial to update the OpenVPN installation to the latest patched version promptly. Canonical has patched these OpenVPN vulnerabilities in the following newer versions:
- Ubuntu 24.04: 2.6.9
- Ubuntu 23.10: 2.6.5
- Ubuntu 22.04: 2.5.9
- Ubuntu 20.04: 2.4.12
To update OpenVPN, first use this command to update the package repository.
$ sudo apt update
Then run this command to upgrade the OpenVPN package.
$ sudo apt --upgrade-only openvpn
Protecting End of Life Ubuntu Systems
End of Life (EOL) Ubuntu releases no longer receive security updates, which make them highly vulnerable to emerging vulnerabilities. To secure EOL Ubuntu systems from OpenVPN vulnerabilities, you have a couple of options to receive necessary security updates.
Ubuntu Pro: Canonical offers an Extended Security Maintenance (ESM) service through the Ubuntu Pro subscription. This service provides security updates for end-of-life Ubuntu releases but can be relatively expensive.
TuxCare’s Extended Lifecycle Support: TuxCare offers a more affordable solution with their Extended Lifecycle Support. This service provides security updates for an additional five years after the end-of-life date of an Ubuntu release. TuxCare covers a wide range of packages, including OpenVPN, Linux kernel, glibc, OpenSSL, Python, PHP, and more. This comprehensive coverage ensures that your system remains secure even after the official support period ends.
Source: USN-6860-1