Microsoft on Thursday disclosed 4 medium-severity security flaws within the open-source OpenVPN software program that might be chained to attain distant code execution (RCE) and native privilege escalation (LPE).
“This assault chain may allow attackers to realize full management over focused endpoints, probably leading to data breaches, system compromise, and unauthorized entry to delicate info,” Vladimir Tokarev of the Microsoft Menace Intelligence Neighborhood stated.
That stated, the exploit, offered by Black Hat USA 2024, requires consumer authentication and a sophisticated understanding of OpenVPN’s internal workings. The issues have an effect on all variations of OpenVPN previous to model 2.6.10 and a couple of.5.10.
The listing of vulnerabilities is as follows –
- CVE-2024-27459 – A stack overflow vulnerability resulting in a Denial-of-service (DoS) and LPE in Home windows
- CVE-2024-24974 – Unauthorized entry to the “openvpnservice” named pipe in Home windows, permitting an attacker to remotely work together with it and launch operations on it
- CVE-2024-27903 – A vulnerability within the plugin mechanism resulting in RCE in Home windows, and LPE and knowledge manipulation in Android, iOS, macOS, and BSD
- CVE-2024-1305 – A reminiscence overflow vulnerability resulting in DoS in Home windows
The primary three of the 4 flaws are rooted in a part named openvpnserv, whereas the final one resides within the Home windows Terminal Entry Level (TAP) driver.
All of the vulnerabilities may be exploited as soon as an attacker positive aspects entry to a consumer’s OpenVPN credentials, which, in flip, might be obtained by varied strategies, together with buying stolen credentials on the darkish net, utilizing stealer malware, or sniffing community visitors to seize NTLMv2 hashes after which utilizing cracking instruments like HashCat or John the Ripper to decode them.
An attacker may then be chained in several mixtures — CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 — to attain RCE and LPE, respectively.
“An attacker may leverage not less than three of the 4 found vulnerabilities to create exploits to facilitate RCE and LPE, which may then be chained collectively to create a robust assault chain,” Tokarev stated, including they may leverage strategies like Carry Your Personal Weak Driver (BYOVD) after reaching LPE.
“By these strategies, the attacker can, as an illustration, disable Defend Course of Gentle (PPL) for a important course of reminiscent of Microsoft Defender or bypass and meddle with different important processes within the system. These actions allow attackers to bypass security merchandise and manipulate the system’s core capabilities, additional entrenching their management and avoiding detection.”
