OpenVPN Says Reports About Zero-Day Flaws Are False

OpenVPN says reports about zero-day vulnerabilities in OpenVPN2, linked to the “OVPNX” attack are false as the bugs were squashed in March.

In early May 2024, Blackhat announced an upcoming presentation in August that incorrectly claimed there are zero-day vulnerabilities in OpenVPN2, labeled under the attack name “OVPNX.” These alleged vulnerabilities, identified as CVE-2024-27903, CVE-2024-27459, and CVE-2024-24974, were reported as already fixed by the OpenVPN community in the March 2024 release, thus negating the zero-day classification.

Security researcher Vladimir Tokarev discovered these issues and responsibly disclosed them to the OpenVPN community, leading to their prompt resolution. OpenVPN addressed these vulnerabilities in versions 2.6.10 and 2.5.10, and provided technical details on the OpenVPN community's wiki pages.

The identified vulnerabilities were specific to the OpenVPN GUI on Windows and involved privilege escalation issues. The OpenVPN2 processes generally run with the least required privileges, but certain actions, such as adding system routes, necessitate higher privilege levels. This is managed by the interactive service component, which runs at a higher privilege level.

If an OpenVPN2 process were compromised, such as by a malicious plugin, it could exploit the interactive service component to perform tasks at higher privilege levels. Additionally, the service pipe for this component was network-accessible, posing a potential risk if accessed by a user with valid OpenVPN Administrator credentials.

Exploiting these vulnerabilities would require prior compromise on the target system explains an announcement by OpenVPN. An attacker would need administrator-level access to replace the OpenVPN2 binary with a malicious one or to load a malicious plugin with the help of an OpenVPN Administrator. Alternatively, over-the-network attacks would require valid credentials of an OpenVPN Administrator group member. These preconditions imply that an attacker with such access would likely have sufficient control over the system without needing to exploit these specific vulnerabilities.

To mitigate these risks, the OpenVPN community implemented the following fixes in the latest versions:

• CVE-2024-27903: Enhanced plugin loading security on Windows, restricting plugins to be loaded only from trusted locations. Only an OpenVPN Administrator can designate these trusted locations.
• CVE-2024-24974: Disabled remote access to the service pipe of the interactive service component, addressing the remote access vulnerability.
• CVE-2024-27459: Rectified the privilege escalation issue in the interactive service component, preventing the exploitation methods described above.

OpenVPN users on Windows are advised to update to the latest versions (2.6.10 or 2.5.10) to benefit from these critical fixes and maintain robust security.