Microsoft reports multiple OpenVPN vulnerabilities that can be used to execute code
Take action: If you are using OpenVPN on Windows, time to plan a quick update to 2.6.10/2.5.10. The vulnerabilities will be packaged as a second stage attack in a phishing or malware attack to gain access to the internal infrastructure of the company, far beyond the permissions of the individual VPN user. Don't delay.
Learn More
Microsoft researchers have identified a series of vulnerabilities in OpenVPN, a widely used open-source VPN solution.
The vulnerabilities affect OpenVPN versions prior to 2.6.10 and 2.5.10, and could be chained together to create an attack chain that includes remote code execution (RCE) and local privilege escalation (LPE). Exploitation could allow attackers to gain complete control over targeted systems;
The research revealed four primary vulnerabilities in OpenVPN's client-side architecture:
- CVE-2024-27459 (CVSS score 7.8): This vulnerability involves the "tap-windows6" project, specifically in the TapDeviceWrite method. An integer overflow can occur due to attacker-controlled parameters, resulting in memory overflow.
- CVE-2024-24974 (CVSS score 7.5): This vulnerability exists in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. The service reads a user-provided message size, leading to a potential stack overflow vulnerability.
- CVE-2024-27903 (CVSS score 9.8): This vulnerability allows remote access to the \\openvpn\\service named pipe, enabling an attacker to launch operations remotely.
- Plugin Loading Vulnerability: A flaw in OpenVPN's plugin mechanism permits plugins to be loaded from arbitrary paths, which can be exploited to load malicious plugins.
Attack Chain and Exploitation
An attacker with OpenVPN credentials could leverage these vulnerabilities in combination to create an attack chain, enabling RCE and LPE. For example, by exploiting the vulnerabilities, an attacker could spawn a new openvpn.exe process remotely, inject malicious configurations, and gain elevated privileges on the system. This could result in a complete system takeover, enabling the attacker to steal, manipulate, or destroy critical data.
Users of OpenVPN on Windows should immediately upgrade to versions 2.6.10 or 2.5.10 to mitigate these vulnerabilities. Users running OpenVPN on Linux should follow the issue for possible Linux version exploit.
