Local Users Can Execute Code in External Libraries via DYLD_INSERT_LIBRARIES Environment Variable
CVE-2023-7224

7.8HIGH

Key Information:

Vendor: OpenVPN
Status: Connect
Vendor: CVE Published:; 8 January 2024

Summary

A vulnerability exists within OpenVPN Connect versions 3.0 through 3.4.6 on macOS that can allow local users to execute arbitrary code by leveraging the DYLD_INSERT_LIBRARIES environment variable. This exploitation may enable malicious users to run unauthorized code using external third-party libraries, potentially compromising the integrity of the system. It is essential for users of OpenVPN Connect to ensure they are using a patched version to mitigate this risk.

References

https://openvpn.net/vpn-server-resources/openvpn-connect-...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2024