CVE-2024-8474 - OpenVPN Connect Logs Your Private Key in Plaintext

A serious security issue has been discovered in OpenVPN Connect, the popular official VPN client for OpenVPN servers. Identified as CVE-2024-8474, this vulnerability affects versions of OpenVPN Connect released before 3.5.. If you’re using this client, your private key could have been logged in clear text, leaving your VPN connection exposed to anyone with access to your device logs.

In this post, we’ll break down exactly what happened, include code snippets illustrating the problem, and show how attackers might exploit this bug. Our goal is to make sure you understand the risks, see how the exploit works, and know how to fix the issue.

What is CVE-2024-8474?

CVE-2024-8474 is a logging vulnerability in OpenVPN Connect, where the app writes your sensitive configuration details—specifically the private key—straight into its application logs in unencrypted, plain text.

Why does this matter?

Your private key is supposed to be secret. Anyone who gets it can impersonate you on the VPN, or decrypt traffic they capture. Logging it in clear text means anyone with access to those logs—malware, an insider, or even support personnel—can use it maliciously.

How Does the Vulnerability Work?

When you import a .ovpn configuration that includes a private key, OpenVPN Connect stores the entire key in plain text inside its log files. Here’s a simplified look at how it happens.

A typical OpenVPN profile looks like this

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind

<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9wBAQEFAASCBKcwggSjAgEAAoIBAQ...
...snip...
-----END PRIVATE KEY-----
</key>
...

The Logging Problem

When you import this configuration, OpenVPN Connect writes something similar to the below into its log file (openvpn.log or similar):

[Log] Loading user profile
[Log] Using embedded key:
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9wBAQEFAASCBKcwggSjAgEAAoIBAQ...
...snip...
-----END PRIVATE KEY-----

Anyone who can read these logs—on disk, in backup, or through attackers with malware access—can grab your private key. This effectively compromises your VPN identity and traffic.

Attacker Gets Log Access:

This might be physical (someone with your device), remote (via malware), or by looking at backup logs.

Attacker Imports the Profile:

Using OpenVPN or another tool, they use the private key to connect, impersonating you or decrypting your encrypted traffic if they’ve also captured the VPN data.

Exploit Code Snippet

Here’s a simple Python script that parses OpenVPN logs for private keys (for illustration; don’t use maliciously!):

import re

with open('openvpn.log', 'r') as f:
    log_data = f.read()

private_keys = re.findall(
    r"-----BEGIN PRIVATE KEY-----(.*?)-----END PRIVATE KEY-----",
    log_data,
    re.DOTALL
)

for i, key in enumerate(private_keys):
    print(f"Found private key #{i+1}:")
    print("-----BEGIN PRIVATE KEY-----" + key + "-----END PRIVATE KEY-----\n")

Update OpenVPN Connect

Version 3.5. fixes this issue. Download the latest version from the official OpenVPN Connect downloads page.

On Windows: C:\Users\<User>\OpenVPN\log\

- On macOS: ~/Library/Application Support/OpenVPN/log/
- On iOS/Android: Clear app data.

References

- Official OpenVPN Advisory for CVE-2024-8474
- NVD Entry for CVE-2024-8474
- OpenVPN Connect Download

Summary

CVE-2024-8474 is an alarm bell for anyone using OpenVPN Connect before 3.5.. If you haven’t already, update your VPN client now, clear out old logs, and consider rotating your VPN keys. The risk isn’t just theoretical—a simple look through log files could put your network identity in someone else’s hands.

Stay safe and keep your keys private—don’t let a log file be your weakest link.

If you found this guide helpful, let us know. For more deep dives into security flaws, follow our channel!

Timeline

Published on: 01/06/2025 15:15:14 UTC
Last modified on: 01/06/2025 17:15:44 UTC