Microsoft unveiled four medium-severity security vulnerabilities in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).
«This attack chain could allow attackers to gain full control over the targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information,» said Vladimir Tokarev from the Microsoft Threat Intelligence Community.
The exploit, presented at Black Hat USA 2024, requires user authentication and an advanced understanding of the internal workings of OpenVPN. The flaws affect all versions of OpenVPN prior to version 2.6.10 and 2.5.10.
The vulnerability list includes:
CVE-2024-27459 – A stack overflow vulnerability leading to denial of service (DoS) and LPE in Windows
CVE-2024-24974 – Unauthorized access to the named pipe «\\openvpn\\service» in Windows, enabling remote interaction and operations execution
CVE-2024-27903 – A vulnerability in the plugin mechanism leading to RCE in Windows, and LPE and data manipulation in Android, iOS, macOS, and BSD
CVE-2024-1305 – A memory overflow vulnerability leading to DoS in Windows
The first three of the four flaws originate from a component called openvpnserv, while the last one resides in the Windows Terminal Access Point (TAP) driver.
All vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be obtained through various methods, including purchasing stolen credentials on the dark web, using malware stealers, or spying on network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them.
An attacker could chain these flaws in different combinations, such as CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903, to achieve RCE and LPE, respectively.
«An attacker could leverage at least three of the four discovered vulnerabilities to create exploits that facilitate RCE and LPE, which could be chained to create a powerful attack chain,» said Tokarev, adding that they could employ techniques like Bring Your Own Vulnerable Driver (BYOVD) after achieving LPE.
«Through these techniques, the attacker can, for example, disable Protect Process Light (PPL) for a critical process like Microsoft Defender or bypass and manipulate other critical processes in the system. These actions enable attackers to evade security products and manipulate core system functions, further strengthening their control and avoiding detection.»
Vía The Hacker News
