Remote Code Execution and Privilege Escalation Risks in OpenVPN
Recently, Microsoft disclosed four medium-severity vulnerabilities in the open-source software OpenVPN. These vulnerabilities could be exploited by malicious actors to execute remote code (RCE) and escalate privileges on a local system (LPE).
An attack leveraging these vulnerabilities could grant attackers full control over targeted devices, potentially leading to data breaches, system compromise, and unauthorized access to sensitive information. Successful exploitation requires user authentication and a deep understanding of OpenVPN’s internal workings. All versions of OpenVPN up to 2.6.10 and 2.5.10 are at risk.
The list of identified vulnerabilities includes:
- CVE-2024-27459 — A stack overflow vulnerability leading to denial of service (DoS) and privilege escalation on Windows.
- CVE-2024-24974 — Unauthorized access to the named pipe “\openvpn\service” on Windows, allowing a remote attacker to interact with it and initiate operations.
- CVE-2024-27903 — A flaw in the plugin mechanism that results in remote code execution on Windows and privilege escalation and data manipulation on Android, iOS, macOS, and BSD.
- CVE-2024-1305 — A memory overflow vulnerability causing denial of service on Windows.
Three of these vulnerabilities are associated with the openvpnserv component, while the last concerns the Windows TAP driver.
All of these vulnerabilities could be exploited if an attacker gains access to the user’s OpenVPN credentials. These credentials could be obtained through various means, such as purchase on dark markets, use of malware, or interception of network traffic.
The attack can be carried out using various combinations of vulnerabilities, such as CVE-2024-24974 and CVE-2024-27903, or CVE-2024-27459 and CVE-2024-27903, to achieve remote code execution and privilege escalation.
Upon successfully exploiting these vulnerabilities, attackers could employ attack methods such as “Bring Your Own Vulnerable Driver” (BYOVD), which allows them to bypass security mechanisms and penetrate deeper into the system. This enables them to disable critical processes, such as Microsoft Defender, or interfere with other essential processes, thereby circumventing security measures and manipulating core system functions.
