Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Warns of OpenVPN Vulnerabilities, Potential for Exploit Chains

The vulnerabilities, patched in OpenVPN 2.6.10, expose users on the Windows platform to remote code execution attacks.

OpenVPN Vulnerability

LAS VEGAS — Software giant Microsoft used the spotlight of the Black Hat security conference to document multiple vulnerabilities in OpenVPN and warned that skilled hackers could create exploit chains for remote code execution attacks.

The vulnerabilities, already patched in OpenVPN 2.6.10, create ideal conditions for malicious attackers to build an “attack chain” to gain full control over targeted endpoints, according to fresh documentation from Redmond’s threat intelligence team.

While the Black Hat session was advertised as a discussion on zero-days, the disclosure did not include any data on in-the-wild exploitation and the vulnerabilities were fixed by the open-source group during private coordination with Microsoft.

In all, Microsoft researcher Vladimir Tokarev discovered four separate software defects affecting the client side of the OpenVPN architecture:

  • CVE-2024-27459: Affects the openvpnserv component, exposing Windows users to local privilege escalation attacks.
  • CVE-2024-24974: Found in the openvpnserv component, allowing unauthorized access on Windows platforms.
  • CVE-2024-27903: Affects the openvpnserv component, enabling remote code execution on Windows platforms and local privilege escalation or data manipulation on Android, iOS, macOS, and BSD platforms.
  • CVE-2024-1305: Applies to the Windows TAP driver, and could lead to denial-of-service conditions on Windows platforms.

Microsoft emphasized that exploitation of these flaws requires user authentication and a deep understanding of OpenVPN’s inner workings. However, once an attacker gains access to a user’s OpenVPN credentials, the software giant warns that the vulnerabilities could be chained together to form a sophisticated attack chain.

“An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain,” Microsoft said.

In some instances, after successful local privilege escalation attacks, Microsoft cautions that attackers can use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities to establish persistence on an infected endpoint.

“Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection,” the company warned.

The company is strongly urging users to apply fixes available at OpenVPN 2.6.10.

Advertisement. Scroll to continue reading.

Related: Windows Update Flaws Allow Undetectable Downgrade Attacks

Related: Severe Code Execution Vulnerabilities Affect OpenVPN-Based Applications

Related: OpenVPN Patches Remotely Exploitable Vulnerabilities

Related: Audit Finds Only One Severe Vulnerability in OpenVPN

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights