Security News > 2024 > August > Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE
Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution and local privilege escalation.
CVE-2024-27459 - A stack overflow vulnerability leading to a Denial-of-service and LPE in Windows.
CVE-2024-27903 - A vulnerability in the plugin mechanism leading to RCE in Windows, and LPE and data manipulation in Android, iOS, macOS, and BSD. CVE-2024-1305 - A memory overflow vulnerability leading to DoS in Windows.
All the vulnerabilities can be exploited once an attacker gains access to a user's OpenVPN credentials, which, in turn, could be obtained through various methods, including purchasing stolen credentials on the dark web, using stealer malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them.
An attacker could then be chained in different combinations - CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 - to achieve RCE and LPE, respectively.
"An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain," Tokarev said, adding they could leverage methods like Bring Your Own Vulnerable Driver after achieving LPE. "Through these techniques, the attacker can disable Protect Process Light for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system's core functions, further entrenching their control and avoiding detection."
News URL
https://thehackernews.com/2024/08/microsoft-reveals-four-openvpn-flaws.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-07-08 | CVE-2024-1305 | tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space | 0.0 |
2024-07-08 | CVE-2024-27903 | Unrestricted Upload of File with Dangerous Type vulnerability in Openvpn OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | 9.8 |
2024-07-08 | CVE-2024-27459 | Out-of-bounds Write vulnerability in Openvpn The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. | 7.8 |
2024-07-08 | CVE-2024-24974 | Unspecified vulnerability in Openvpn The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. | 7.5 |