Microsoft on Thursday disclosed four medium-severity security flaws in its open-source OpenVPN software that could be combined to achieve remote code execution (RCE) and local elevation of privilege (LPE).
“This chain of attacks can allow attackers to gain complete control over targeted endpoints, potentially leading to data leakage, system compromise, and unauthorized access to sensitive information,” Vladimir Tokarov of the Microsoft Threat Intelligence Community. said.
However, the exploit presented by Black Hat USA 2024 requires user authentication and a deep understanding of OpenVPN’s inner workings. The vulnerabilities affect all OpenVPN versions up to 2.6.10 and 2.5.10.
The list of vulnerabilities is as follows –
- CVE-2024-27459 – Stack Overflow Vulnerability leading to Denial of Service (DoS) and LPE in Windows
- CVE-2024-24974 – Unauthorized access to a channel named “\\openvpn\\service” on Windows, which allows an attacker to remotely interact with and execute operations on it
- CVE-2024-27903 – Vulnerability in the plugin engine leads to RCE on Windows and LPE and data manipulation on Android, iOS, macOS, and BSD
- CVE-2024-1305 – Memory overflow vulnerability leading to DoS in Windows
The first three of the four flaws are in a component called openvpnserv, and the last one is in the Windows Terminal Access Point (TAP) driver.
All of the vulnerabilities can be exploited once an attacker has access to an OpenVPN user’s credentials, which in turn can be obtained through a variety of methods, including purchasing stolen credentials on the dark web, using hijacking malware, or eavesdropping on network traffic to capture hashes NTLMv2 and then use cracking tools like HashCat or John the Ripper to decrypt them.
The attacker can then combine different combinations – CVE-2024-24974 and CVE-2024-27903 or CVE-2024-27459 and CVE-2024-27903 – to achieve RCE and LPE, respectively.
“An attacker could use at least three of the four identified vulnerabilities to create exploits to facilitate RCE and LPE, which could then be combined into a powerful attack chain,” Tokarov said, adding that they could use techniques such as Bring your vulnerable driver (BEUD) after reaching the LPE.
“With these techniques, an attacker can, for example, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender, or bypass and interfere with other critical processes on the system. These actions allow attackers to bypass security products and manipulate key system functions, further strengthening their control and avoiding detection.”
