Four medium-severity security vulnerabilities in the open-source OpenVPN software were disclosed by Microsoft on Thursday. These vulnerabilities have the potential to enable the exploitation of remote code execution (RCE) and local privilege escalation (LPE).
“This series of attacks could grant attackers complete control over specific endpoints, potentially leading to data breaches, system compromises, and unauthorized access to confidential information,” mentioned Vladimir Tokarev from the Microsoft Threat Intelligence Community stated.
The exploitation showcased at Black Hat USA 2024 necessitates user authentication and a profound comprehension of OpenVPN’s internal processes. These vulnerabilities impact all versions of OpenVPN predating version 2.6.10 and 2.5.10.
The vulnerability list includes –
- CVE-2024-27459 – A Windows stack overflow vulnerability leading to a Denial-of-Service (DoS) situation and LPE
- CVE-2024-24974 – Unauthorized access to the “openvpnservice” named pipe in Windows, enabling a remote attacker to interact with it and initiate operations on it
- CVE-2024-27903 – A plugin mechanism weakness leading to RCE in Windows, and LPE and data interference in Android, iOS, macOS, and BSD
- CVE-2024-1305 – A Windows memory overflow vulnerability resulting in a DoS scenario
The initial three flaws are linked to a component known as openvpnserv, while the last resides in the Windows Terminal Access Point (TAP) driver.
Once an attacker obtains a user’s OpenVPN credentials, which can be acquired through various means such as purchasing stolen credentials on the dark web, utilizing stealer malware, or sniffing network traffic to capture NTLMv2 hashes and then decoding them using tools like HashCat or John the Ripper, all vulnerabilities become exploitable.
An attacker could combine different vulnerabilities in multiple ways — CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 — to achieve RCE and LPE, respectively.
“At least three of the four identified vulnerabilities could be utilized by an attacker to create exploits for RCE and LPE, which could then be interconnected into a potent attack sequence,” Tokarev mentioned, indicating that they could leverage strategies like Bring Your Own Vulnerable Driver (BYOVD) after achieving LPE.
“By employing these methodologies, the attacker can, for example, circumvent Protect Process Light (PPL) for critical processes like Microsoft Defender or circumvent and tamper with other essential processes within the system. Such actions empower attackers to bypass security solutions, manipulate fundamental system functions, solidify their control, and evade detection,” he added.
About Author
