TheGreenBow VPN solutions are known for their robustness and security. We constantly monitor our products to anticipate as far as possible any potential security issues and to stay ahead of the latest threats. We closely follow the latest security trends by working in close collaboration with security companies and researchers.
We are also very attentive to feedback from our customers.
If you would like to notify us of a vulnerability, please contact us at: advisory@thegreenbow.com.
Security Patches
- Security patch (CVE-2024-45750) for Windows Standard VPN Client version 6.87.x: download here
- Security patch (CVE-2024-45750) for Windows Enterprise VPN Client version 7.5.x: download here
- Security patch (CVE-2023-47267) for Windows Certified VPN Client version 6.52.006: download here
- Security patch (reference TGB_2022_001) for Windows Certified VPN Client version 6.52.006: download here
Security notices and updates
If you would like to receive information on new vulnerabilities, please email us the contact details of your company’s or organization’s security officer to: referent@thegreenbow.com.
IMPACT
VULNERABILITY / SECURITY UPDATE
REFERENCE
Publication
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
Malformed ECDSA signature accepted
-
REFERENCE
CVE-2024-45750
-
Publication
24/09/2024
- Credit TheGreenBow
- Detail During the IKEv2 Authentication phase, the VPN client accepts malformed ECDSA signatures and establishes the tunnel.
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Windows Standard VPN Client 6.87.108 (and older) | Windows Enterprise VPN Client 6.87.109 (and older) | Windows Enterprise VPN Client 7.5.007 (and older) | Android VPN Client 6.4.5 (and older) | VPN Client Linux 3.4 (and older) | VPN Client MacOS 2.4.10 (and older)
- Corrected software from version VPN Client Android 6.4 VPN Client macOS 2.5 VPN Client Linux 3.4 Ubuntu 22.04 VPN Client Linux 3.4 Red Hat 9 Patch Windows Standard VPN Client version 6.87.108 Windows Enterprise VPN Client version 7.5.109
-
IMPACT
high
-
VULNERABILITY / SECURITY UPDATE
Privilege Escalation To SYSTEM using memory mapped files
-
REFERENCE
CVE-2023-47267
-
Publication
30/11/2023
- Credit Michelin
- Detail A malware can use the VPN Client to write and delete a registry key allowing an execution with privilege escalation to SYSTEM.
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Windows VPN Client 6.87 standard, 6.87 Enterprise and 6.52 (Certified)
- Corrected software from version Windows Certified VPN Client version 6.52.006 Windows Enterprise VPN Client 6.87.109 Windows Standard VPN Client 6.87.108
-
IMPACT
low
-
VULNERABILITY / SECURITY UPDATE
OpenSSL security update
-
REFERENCE
TGB_2022_002
-
Publication
14/04/2022
- Credit OpenSSL
- Detail OpenSSL security update 1.1.1n (CVE-2022-0778)
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Windows VPN Client 6.8
- Corrected software from version Windows Enterprise VPN Client 6.87.108 Windows Standard VPN Client 6.87.108
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
Risk of buffer overflow during license activation
-
REFERENCE
TGB_2022_001
-
Publication
14/04/2022
- Credit Oppida
- Detail An attacker able to intercept HTTP messages towards the license activation server, could insert a malicious payload and provoke a buffer overflow.
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Patch version
- Affected product Windows VPN Client 6.6, 6.8 et 6.52 (Certified)
- Corrected software from version Windows Enterprise VPN Client 6.87.108 Windows Standard VPN Client 6.87.108 Windows Certified VPN Client 6.52 (patch 2, compatible with Microsoft Defender)
-
IMPACT
low
-
VULNERABILITY / SECURITY UPDATE
DOS on the configuration panel with an oversized administrator password.
-
REFERENCE
2019_6947
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22 (Certifié)
- Corrected software from version Client VPN Windows 5.22.008 (Certifié)
-
IMPACT
low
-
VULNERABILITY / SECURITY UPDATE
Some padding bytes of the VPN configuration file signature can be patched.
-
REFERENCE
2019_6957
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation No exploitation of this vulnerability was found.
- Affected product Client VPN Windows 5.22, 6.50, 6.60
- Corrected software from version Client VPN Windows 5.22.008 (Certified) Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64
-
IMPACT
low
-
VULNERABILITY / SECURITY UPDATE
DOS while the software is in trace mode, with a UDP packet flood
-
REFERENCE
2018_7322
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22, 6.50, 6.60
- Corrected software from version Windows VPN Client 5.22.008 (Certified) Windows VPN Client 6.52.006 (Certified) Windows VPN Client 6.64.003
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
The VPN Client software accepts to authenticate the gateway even if no AUTH payload is received
-
REFERENCE
2018_6926
-
Publication
15/04/2019
- Credit Oppida
- Detail The client accepts IKE_AUTH messages that don't contain CERT and/or AUTH payloads. A Man-in-the-Middle attacker can take advantage of this behaviour in order to usurp the identity of the gateway and therefore undermine the integrity and the confidentiality of the data transmitted within the tunnel.
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22
- Corrected software from version Windows VPN Client 5.22.008 (Certified)
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
Certificate date validity can be bypassed through the use of GeneralizedTime format
-
REFERENCE
2018_7338
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22, 6.50, 6.60
- Corrected software from version Client VPN Windows 5.22.008 (Certified) Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64.003
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
DOS upon malformed certificate reception
-
REFERENCE
2018_7323
-
Publication
15/04/2019
- Credit Oppida
- Detail The VPN Client is vulnerable to DOS via parsing of a malformed certificate coming from the gateway. The certificate can be truncated or contain an ASN.1 length larger than the size of the data.
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22, 6.50, 6.60
- Corrected software from version Client VPN Windows 5.22.008 (Certified) Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64.003
-
IMPACT
high
-
VULNERABILITY / SECURITY UPDATE
Possibility of a man-in-the-middle attack via the use of a CA stored in the Windows certificate store
-
REFERENCE
2018_7293
-
Publication
15/04/2019
- Credit ANSSI
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22, 6.50, 6.60
- Corrected software from version Client VPN Windows 5.22.008 (Certified Client VPN Windows 6.52.006 (Certified Client VPN Windows 6.64
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
DOS when managing certificate with special characters
-
REFERENCE
2018_6943
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 5.22
- Corrected software from version Client VPN Windows 5.22.008 (Certified)
-
IMPACT
low
-
VULNERABILITY / SECURITY UPDATE
Port 1194 always listening may be used to a DOS
-
REFERENCE
2018_7294
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 6.50, 6.60
- Corrected software from version Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64
-
IMPACT
high
-
VULNERABILITY / SECURITY UPDATE
The embedded browser used for captive portal management in GINA mode allows a privilege escalation
-
REFERENCE
2018_7300
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Windows VPN Client 6.50, 6.60
- Corrected software from version Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64.003
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
DOS upon malformed SA reception
-
REFERENCE
2018_7324
-
Publication
15/04/2019
- Credit Oppida
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 6.50, 6.60
- Corrected software from version Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64.003
-
IMPACT
medium
-
VULNERABILITY / SECURITY UPDATE
Configuration file signature bypass
-
REFERENCE
TGB_2019_6967
-
Publication
20/02/2019
- Credit Synacktiv
- Detail -
- Exploitation TheGreenBow is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected product Client VPN Windows 6.4x and before
- Corrected software from version Client VPN Windows 6.52.006 (Certified) Client VPN Windows 6.64.003