CVE-2024-28820: 
Linux Debian vulnerability analysis and mitigation

Buffer overflow vulnerability (CVE-2024-28820) affects openvpn-auth-ldap (Three Rings Auth-LDAP plugin for OpenVPN) version 2.0.4. The vulnerability was discovered in the extractopenvpncr function in openvpn-cr.c and was disclosed on June 27, 2024 (NVD).

The vulnerability exists in the extractopenvpncr function where attackers can trigger a buffer overflow by passing a string containing more than 14 colons in the challenge/response password field. This occurs before the number of tokens is validated, allowing writing past the end of tokenIndexes array. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

Successful exploitation of this vulnerability could allow attackers with a valid LDAP username to cause a buffer overflow, potentially leading to code execution or system crashes (NVD).

A fix has been proposed in a pull request that ensures the loop bails before attempting to write past the end of tokenIndexes. The fix validates that any response with more than 15 fields is invalid according to the current protocol (GitHub PR).

There are concerns about the project being potentially abandoned, as noted in the pull request discussion. The business listed as providing support has closed, and the security contact email address was unreachable during the CVE notification process (GitHub PR).