Microsoft found OpenVPN bugs that can be chained to achieve RCE and LPE

Microsoft found four bugs in OpenVPN that could be chained to achieve remote code execution and local privilege escalation.

During the Black Hat USA 2024 conference, Microsoft researchers disclosed multiple medium-severity bugs in the open-source project OpenVPN that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).

OpenVPN is an open-source software that provides a secure and flexible way to establish a Virtual Private Network (VPN) connection.

Attackers can exploit the flaws to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.

“This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information,” reads the post published by Microsoft. “Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems.”

The exploitation of these flaws requires user authentication and an deep understanding of OpenVPN’s inner workings. The vulnerabilities impact all versions of OpenVPN prior to version 2.6.10 and 2.5.10.

Below is a list the discovered vulnerabilities:

CVE ID OpenVPN component Impact Affected platform
CVE-2024-27459 openvpnserv                              Denial of service (DoS), local privilege escalation (LPE) Windows
CVE-2024-24974 openvpnserv                              Unauthorized access  Windows
CVE-2024-27903 openvpnserv Remote code execution (RCE) Windows
Local privilege escalation (LPE), data manipulation Android, iOS, macOS, BSD
CVE-2024-1305 Windows TAP driver  Denial of service (DoS)  Windows

An attack can exploit these vulnerabilities after obtaining a user’s credentials through differed methods, such as purchasing them on the dark web, using an info stealer, or capturing NTLMv2 hashes from network traffic and cracking them with tools like HashCat or John the Ripper.

“As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.” concludes the post. “Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)