Security News > 2024 > August > Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE
2024-08-09 18:18

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution and local privilege escalation.

CVE-2024-27459 - A stack overflow vulnerability leading to a Denial-of-service and LPE in Windows.

CVE-2024-27903 - A vulnerability in the plugin mechanism leading to RCE in Windows, and LPE and data manipulation in Android, iOS, macOS, and BSD. CVE-2024-1305 - A memory overflow vulnerability leading to DoS in Windows.

All the vulnerabilities can be exploited once an attacker gains access to a user's OpenVPN credentials, which, in turn, could be obtained through various methods, including purchasing stolen credentials on the dark web, using stealer malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them.

An attacker could then be chained in different combinations - CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 - to achieve RCE and LPE, respectively.

"An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain," Tokarev said, adding they could leverage methods like Bring Your Own Vulnerable Driver after achieving LPE. "Through these techniques, the attacker can disable Protect Process Light for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system's core functions, further entrenching their control and avoiding detection."


News URL

https://thehackernews.com/2024/08/microsoft-reveals-four-openvpn-flaws.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-07-08 CVE-2024-1305 tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space
0.0
2024-07-08 CVE-2024-27903 Unrestricted Upload of File with Dangerous Type vulnerability in Openvpn
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
network
low complexity
openvpn CWE-434
critical
9.8
2024-07-08 CVE-2024-27459 Out-of-bounds Write vulnerability in Openvpn
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
local
low complexity
openvpn CWE-787
7.8
2024-07-08 CVE-2024-24974 Unspecified vulnerability in Openvpn
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
network
low complexity
openvpn
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
Openvpn 4 1 8 22 6 37