Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Severe Code Execution Vulnerabilities Affect OpenVPN-Based Applications

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

The company documented four security errors in products from HMS Industrial Networks, MB connect line, PerFact, and Siemens that allow attackers to achieve code execution by tricking potential victims into visiting a maliciously crafted web page.

VPN solutions are designed to provide users with means to encrypt the traffic flowing between their devices and a specific network, to ensure that potentially sensitive data is transmitted securely, and OpenVPN is the most common implementation of a VPN solution.

During its analysis of OpenVPN-based solutions, Claroty discovered that vendors usually deploy OpenVPN as a service with SYSTEM privileges, which poses security risks, because any remote or local applications can control an OpenVPN instance to initiate or terminate a secured connection.

Typically, a VPN client-server architecture involves the presence of a front end (a GUI application), a back end (which receives commands from the front-end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection).

Because in most cases cleartext protocol is used within the dedicated socket channel through which the front end controls the back end, without any form of authentication, “anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration,” Claroty explained.

[ READ: NSA, CISA Issue Guidance on Selecting and Securing VPNs ]

 An attacker looking to exploit this flaw would simply need to trick the victim into accessing a malicious website containing embedded JavaScript code designed to send a blind POST request locally, to inject commands in the VPN client back end. This is a classic Server-Side Request Forgery (SSRF) case, the company said.

Advertisement. Scroll to continue reading.

“Once the victim clicks the link, a HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with n, the back end server will read and ignore all the lines until reaching a meaningful command,” according to Claroty’s documentation.

Because the back end server will automatically parse and execute any valid commands it may receive, it could be instructed to load a remote configuration file containing specific commands leading to code execution or the installation of malicious payloads.

“The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs,” Claroty said.

To achieve remote code execution, however, access to the attacker-controlled SMB server is needed, meaning that the attacker needs to either be on the domain network with the target system, or the victim computer set to allow SMB access to external servers, the researchers note.

A total of five CVE identifiers were issued based on Claroty’s research: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).

Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.