Addressing the Hyperbole: OpenVPN Zero-Day Vulnerabilities
Recently, certain outlets incorrectly reported four zero-day vulnerabilities in OpenVPN2 that allow an attack called OVPNX. These reportedly included CVE-2024-27903, CVE-2024-27459, and CVE-2024-24974.
The news was alarming to many, as the OpenVPN2 protocol is used not only in OpenVPN’s commercial products, but in several other VPN providers’ products. However, the report contained several inaccuracies, and there is no need to panic.
The bottom line: there were no 'zero-day' vulnerabilities, and the vulnerabilities that did occur were difficult to exploit and resolved by the community quickly and efficiently. Any report saying otherwise is a lot of hype and hyperbole. It may seem dramatic and drive clicks, but it simply isn't true.
In this post we'll go into specific detail about each of these claims, what you need to know about the vulnerabilities reported, and our recommendations moving forward.
Did OpenVPN have any zero-day vulnerabilities in March 2024?
The short answer: no. OpenVPN did not have any zero-day vulnerabilities.
The definition of zero-day vulnerabilities is that details are published with no fix available. However, the above listed vulnerabilities, which were not easy to exploit, were reported quickly through the proper channels, and the OpenVPN community released a new version in March 2024, complete with the fixes and the details needed.
In other words, these are simply not zero-day vulnerabilities.
Impacts and exploitability of OpenVPN vulnerabilities in March 2024
Now that we know these were not actually zero-day vulnerabilities, let’s discuss what these vulnerabilities actually mean, the risks that were posed, and potential impacts in practical terms.
The following is a portion of the information shared in the recent OpenVPN security advisory:
- For an over-the-network attack, you would need to have valid credentials of a user that is a member of OpenVPN Administrators group.
- In OpenVPN GUI on Windows, the OpenVPN2 processes run with least required privileges. But for some actions, higher level privileges are necessary. If your OpenVPN2 process is compromised, for example by loading a malicious plugin, then it is possible to exploit a vulnerability in the interactive service component to have it perform tasks at its higher privilege level.
- If you have valid credentials for a user that is part of the OpenVPN Administrator group, you could access the interactive service, and then exploit the same aforementioned privilege escalation vulnerability.
TL;DR: You would need to have an already significant amount of access to the target system in order to exploit these vulnerabilities – enough access that you would likely not need to exploit these vulnerabilities.
Resolution and security recommendations
The OpenVPN team recommends installing all updates. If you are on Windows and using OpenVPN GUI, please update to the latest version (2.6.10 or 2.5.10) that includes the fixes for these issues.
For more information, you can check out all of OpenVPN’s security advisories, past and present. You can also read more about OpenVPN’s security compliance procedures and certifications. If you have further questions, please do not hesitate to reach out to a member of our team.