Microsoft researchers have recently uncovered multiple medium-severity vulnerabilities in OpenVPN, a widely used open-source VPN software.
OpenVPN is used by thousands of companies across various industries, including information technology, financial services, telecommunications, and computer software, on major platforms such as Windows, iOS, macOS, Android, and BSD.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
These vulnerabilities can be exploited to achieve remote code execution (RCE) and local privilege escalation (LPE), which could allow attackers to gain full control over targeted devices. This poses a risk of data breaches, system compromise, and unauthorized access to sensitive information.
The vulnerabilities were identified in OpenVPN’s client-side architecture, specifically in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. The affected versions include all releases prior to OpenVPN 2.6.10 and 2.5.10.
The key vulnerabilities are:
- CVE-2024-27459: A stack overflow vulnerability in
openvpnservthat can lead to denial-of-service (DoS) and LPE on Windows systems. - CVE-2024-24974: Unauthorized access vulnerability allowing remote interaction with the
\openvpn\servicenamed pipe on Windows. - CVE-2024-27903: A flaw in the plugin mechanism that can result in RCE on Windows and LPE and data manipulation on Android, iOS, macOS, and BSD.
- CVE-2024-1305: A memory overflow vulnerability in the Windows TAP driver causing DoS.
Exploitation of these vulnerabilities requires user authentication and a deep understanding of OpenVPN’s inner workings. Attackers could chain these vulnerabilities to execute an attack chain, achieving RCE and LPE, thereby gaining full control over targeted endpoints. This could lead to data breaches, system compromises, and unauthorized access to sensitive information.
Microsoft reported these vulnerabilities to OpenVPN in March 2024 through Coordinated Vulnerability Disclosure. OpenVPN has since released patches to address these issues. Users are strongly urged to update to the latest versions, 2.6.10 or 2.5.10, to mitigate potential risks. Additional recommendations include:
- Segregating OpenVPN clients from the internet and unauthorized users.
- Implementing strong authentication measures and reducing the number of users with write access.
- Continuously monitoring for unusual activities and ensuring endpoint security measures are up to date.
To mitigate these risks, OpenVPN users are strongly urged to update to the latest versions (2.6.10 or 2.5.10) immediately.
To verify if your OpenVPN installation is up-to-date
openvpn --version
By ensuring your OpenVPN installation is up-to-date, you can protect your system from vulnerabilities and benefit from the latest security enhancements and features.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download