Security researchers at Claroty have raised the alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) solutions relying on OpenVPN.
The company documented four security errors in products from HMS Industrial Networks, MB connect line, PerFact, and Siemens that allow attackers to achieve code execution by tricking potential victims into visiting a maliciously crafted web page.
VPN solutions are designed to provide users with means to encrypt the traffic flowing between their devices and a specific network, to ensure that potentially sensitive data is transmitted securely, and OpenVPN is the most common implementation of a VPN solution.
During its analysis of OpenVPN-based solutions, Claroty discovered that vendors usually deploy OpenVPN as a service with SYSTEM privileges, which poses security risks, because any remote or local applications can control an OpenVPN instance to initiate or terminate a secured connection.
Typically, a VPN client-server architecture involves the presence of a front end (a GUI application), a back end (which receives commands from the front-end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection).
Because in most cases cleartext protocol is used within the dedicated socket channel through which the front end controls the back end, without any form of authentication, “anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration,” Claroty explained.
[ READ: NSA, CISA Issue Guidance on Selecting and Securing VPNs ]
An attacker looking to exploit this flaw would simply need to trick the victim into accessing a malicious website containing embedded JavaScript code designed to send a blind POST request locally, to inject commands in the VPN client back end. This is a classic Server-Side Request Forgery (SSRF) case, the company said.
“Once the victim clicks the link, a HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with n, the back end server will read and ignore all the lines until reaching a meaningful command,” according to Claroty’s documentation.
Because the back end server will automatically parse and execute any valid commands it may receive, it could be instructed to load a remote configuration file containing specific commands leading to code execution or the installation of malicious payloads.
“The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs,” Claroty said.
To achieve remote code execution, however, access to the attacker-controlled SMB server is needed, meaning that the attacker needs to either be on the domain network with the target system, or the victim computer set to allow SMB access to external servers, the researchers note.
A total of five CVE identifiers were issued based on Claroty’s research: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).
Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs
Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw