OpenVPN has long been a popular choice for creating secure point-to-point or site-to-site connections over the internet. Its open-source nature and robust encryption capabilities have made it a staple in many organizations’ and individuals’ security arsenals. However, a recent discovery by Microsoft researchers has unveiled a critical flaw in this widely trusted software.
In March 2024, Microsoft reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Now, Microsoft researchers have uncovered multiple vulnerabilities within OpenVPN that could potentially be exploited to gain unauthorized access to systems. These vulnerabilities severely threaten the security of millions of users worldwide who rely on OpenVPN for their online privacy and data protection.
The Discovered Vulnerabilities
Microsoft’s research uncovered a series of critical vulnerabilities within OpenVPN. When exploited in combination, these flaws could grant attackers unfettered access to target systems.
- Remote Code Execution (RCE): One of the most severe vulnerabilities discovered allows malicious actors to execute arbitrary code on a compromised system. This could enable them to install malware, steal data, or take complete control of the affected device.
- Local Privilege Escalation (LPE): Another critical issue identified was a local privilege escalation vulnerability. While requiring initial access to a system, this flaw could be leveraged to elevate an attacker’s privileges, granting them extensive control over the machine.
Here are the four discovered vulnerabilities:
| CVE ID | OpenVPN component | Impact | Affected platform |
|---|---|---|---|
| CVE-2024-1305 | Windows TAP driver | Denial of service (DoS) | Windows |
| CVE-2024-27459 | openvpnserv | DoS, LPE | Windows |
| CVE-2024-24974 | openvpnserv | Unauthorized access | Windows |
| CVE-2024-27903 | openvpnserv | RCE | Windows |
| LPE, data manipulation | Android, iOS, macOS, BSD |
1. CVE-2024-1305
Microsoft discovered a vulnerability in the “tap-windows6” project, which involves the development of the Terminal Access Point (TAP) adapter used by OpenVPN. The device.c file in the project’s src directory contains the code for the TAP device object and its initialization.
In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods that manage various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.
The TapDeviceWrite method performs several operations before ultimately calling TapSharedSendPacket. This method, in turn, invokes NdisAllocateNetBufferAndNetBufferLists twice. In one case, it calls this function with the fullLength parameter.
2. CVE-2024-27459
The second vulnerability Microsoft discovered is in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service — these components communicate through a named pipe.
The openvpnserv.exe service continuously reads the message size from the openvpn.exe process in an infinite loop and processes the received message by calling the HandleMessage method. The HandleMessage method retrieves the size from the infinite loop and then casts the read bytes to the appropriate type based on this size.
This communication mechanism is flawed because reading a user-specified number of bytes into an n-byte structure on the stack can result in a stack overflow vulnerability.
3. CVE-2024-24974
The third vulnerability involves unauthorized access to an operating system resource. The openvpnserv.exe service creates a new openvpn.exe process in response to user requests it receives via the \\openvpn\\service named pipe. This vulnerability allows remote access to the named service pipe, allowing an attacker to interact with and execute operations on the service remotely.
4. CVE-2024-27903
Finally, Microsoft discovered a vulnerability in OpenVPN’s plugin mechanism that allows plugins to be loaded from various paths on an endpoint device. Attackers can exploit this behavior to load malicious plugins from these different locations.
How Attackers Can Exploit These Vulnerabilities
Microsoft stated that attackers could exploit at least three of the four discovered vulnerabilities to achieve RCE and LPE. These vulnerabilities can be combined to create a potent attack chain.
However, several adjustments are necessary to exploit the full attack chain. Specifically, the malicious payloads designed to crash openvpnserv.exe and those that simulate openvpnserv.exe behavior after the crash must be loaded using the malicious plugin.
Once LPE is achieved, attackers might use techniques such as Bring Your Own Vulnerable Driver (BYOVD) or exploit other known vulnerabilities to gain more control over the endpoint. This could involve disabling Protect Process Light (PPL) for critical processes like Microsoft Defender or bypassing and interfering with other essential system processes. Such actions enable attackers to evade security measures, manipulate core system functions, and solidify their control while remaining undetected.
Potential Impact
Successful exploitation of these vulnerabilities could lead to catastrophic data breaches. Sensitive personal information, financial data, and corporate secrets could fall into the wrong hands, resulting in identity theft, financial fraud, and reputational damage.
Also, the aftermath of a data breach can be financially devastating. Organizations may face hefty costs associated with incident response, legal fees, and remediation efforts. Individuals might face costs for identity theft recovery and credit monitoring.
Beyond data loss, attackers can gain complete control over compromised systems, allowing them to install ransomware, disrupt operations, or use the system as a launching pad for further attacks.
The Patch
In response to the critical vulnerabilities discovered, OpenVPN swiftly released a patch to address these security flaws. OpenVPN versions earlier than 2.5.10 and 2.6.10 are susceptible to known vulnerabilities. Check if you’re running an affected version, and if so, promptly apply the necessary patch available for OpenVPN 2.6.10.
To further minimize the risk of exploitation, consider these additional steps:
- Ensure that all devices in your network are updated with the latest patches from the OpenVPN website.
- Disconnect OpenVPN clients from the internet and keep them on a separate network segment.
- Restrict access to OpenVPN clients to authorized users only.
You can further reduce risks by enforcing proper network segmentation, requiring strong usernames and passwords, and limiting the number of users with write access.
Importance of Endpoint Security in Private & Enterprise Sectors
Given OpenVPN’s widespread use across different vendors, industries, and sectors, the vulnerabilities identified can affect various devices and environments, making vulnerability management hard. Exploiting these vulnerabilities demands user authentication, a thorough understanding of OpenVPN’s internal mechanisms, and intermediate OS knowledge. However, successful exploitation could have severe consequences for both private and enterprise endpoints.
An attacker could use a vulnerable version of OpenVPN to execute a multi-stage attack on a device, potentially gaining complete control over it. This level of control could lead to the theft of sensitive data, data tampering, or even the destruction of critical information, posing significant risks to both personal and business environments.
Discovering these vulnerabilities highlights the crucial need for responsible disclosure and the importance of securing enterprise and endpoint systems. It also underscores the collective efforts required from the security community to safeguard devices across diverse platforms and enhance protections for everyone.
Learn how you can integrate your endpoint security with network security solutions to improve protection and provide unified administration for full coverage against multiple threats.
