Microsoft recently identified four medium-severity security vulnerabilities in the popular open-source OpenVPN
software that, when combined, could lead to remote code execution (RCE) and local privilege escalation (LPE).
Vladimir Tokarev from the Microsoft Threat Intelligence Community expressed concerns, stating, “This attack
chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data
breaches, system compromise, and unauthorized access to sensitive information.” The vulnerabilities affect all
versions of OpenVPN prior to version 2.6.10 and 2.5.10.
The list of vulnerabilities includes:
- CVE-2024-27459 – Stack overflow vulnerability leading to Denial-of-Service (DoS) and LPE in Windows
- CVE-2024-24974 – Unauthorized access to the “\\openvpn\\service” named pipe in Windows, allowing remote
interaction with it and launching operations - CVE-2024-27903 – Vulnerability in the plugin mechanism leading to RCE in Windows, and LPE and data
manipulation in other platforms - CVE-2024-1305 – Memory overflow vulnerability leading to DoS in Windows
Three vulnerabilities are associated with the openvpnserv component, while the fourth one is related to the
Windows TAP driver.
These vulnerabilities can be exploited after obtaining a user’s OpenVPN credentials through various methods,
such as purchasing stolen credentials, using malware, or network traffic sniffing to capture and decode
NTLMv2 hashes.
Attackers can combine different vulnerabilities to achieve RCE and LPE, enhancing their control and avoiding
detection.
According to Tokarev, attackers could exploit these vulnerabilities to facilitate powerful attacks and evade
security mechanisms.