Microsoft found four bugs in OpenVPN that could be chained to achieve remote code execution and local privilege escalation.
During the Black Hat USA 2024 conference, Microsoft researchers disclosed multiple medium-severity bugs in the open-source project OpenVPN that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).
OpenVPN is an open-source software that provides a secure and flexible way to establish a Virtual Private Network (VPN) connection.
Attackers can exploit the flaws to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.
“This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information,” reads the post published by Microsoft. “Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems.”
The exploitation of these flaws requires user authentication and an deep understanding of OpenVPN’s inner workings. The vulnerabilities impact all versions of OpenVPN prior to version 2.6.10 and 2.5.10.
Below is a list the discovered vulnerabilities:
CVE ID | OpenVPN component | Impact | Affected platform |
CVE-2024-27459 | openvpnserv | Denial of service (DoS), local privilege escalation (LPE) | Windows |
CVE-2024-24974 | openvpnserv | Unauthorized access | Windows |
CVE-2024-27903 | openvpnserv | Remote code execution (RCE) | Windows |
Local privilege escalation (LPE), data manipulation | Android, iOS, macOS, BSD | ||
CVE-2024-1305 | Windows TAP driver | Denial of service (DoS) | Windows |
An attack can exploit these vulnerabilities after obtaining a user’s credentials through differed methods, such as purchasing them on the dark web, using an info stealer, or capturing NTLMv2 hashes from network traffic and cracking them with tools like HashCat or John the Ripper.
“As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.” concludes the post. “Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)