Microsoft on Thursday disclosed 4 medium-severity safety flaws within the open-source OpenVPN software program that might be chained to attain distant code execution (RCE) and native privilege escalation (LPE).
“This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information,” Vladimir Tokarev of the Microsoft Risk Intelligence Group stated.
That stated, the exploit, introduced by Black Hat USA 2024, requires consumer authentication and a sophisticated understanding of OpenVPN’s interior workings. The failings have an effect on all variations of OpenVPN previous to model 2.6.10 and a couple of.5.10.
The listing of vulnerabilities is as follows –
- CVE-2024-27459 – A stack overflow vulnerability resulting in a Denial-of-service (DoS) and LPE in Home windows
- CVE-2024-24974 – Unauthorized entry to the “openvpnservice” named pipe in Home windows, permitting an attacker to remotely work together with it and launch operations on it
- CVE-2024-27903 – A vulnerability within the plugin mechanism resulting in RCE in Home windows, and LPE and knowledge manipulation in Android, iOS, macOS, and BSD
- CVE-2024-1305 – A reminiscence overflow vulnerability resulting in DoS in Home windows
The primary three of the 4 flaws are rooted in a element named openvpnserv, whereas the final one resides within the Home windows Terminal Entry Level (TAP) driver.
All of the vulnerabilities may be exploited as soon as an attacker good points entry to a consumer’s OpenVPN credentials, which, in flip, might be obtained by varied strategies, together with buying stolen credentials on the darkish internet, utilizing stealer malware, or sniffing community site visitors to seize NTLMv2 hashes after which utilizing cracking instruments like HashCat or John the Ripper to decode them.
An attacker might then chain these flaws in numerous mixtures — CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 — to attain RCE and LPE, respectively.
“An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain,” Tokarev stated, including they may make use of strategies like Carry Your Personal Weak Driver (BYOVD) after attaining LPE.
“Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.”