In beginning of May 2024, Blackhat announced an upcoming presentation in August 2024 that incorrectly claims there are zero-day vulnerabilities in OpenVPN2 that allow an attack called OVPNX. The definition of zero-day vulnerabilities is that details are published but no fix available. However the OpenVPN community released a new version in March 2024 with the fixes and the details. Therefore these are simply not zero-day vulnerabilities.
The primary goal of this security advisory is to clarify that these are not zero-day vulnerabilities. It’s important to note that this issue is specific to Windows and is not all that easy to exploit.
Security researcher Vladimir Tokarev reported the issues to the OpenVPN community using a responsible disclosure procedure. They have responded by fixing these issues and releasing OpenVPN 2.6.10 and 2.5.10 and publishing the following relevant vulnerability details:
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27903
- https://community.openvpn.net/openvpn/wiki/CVE-2024-27459
- https://community.openvpn.net/openvpn/wiki/CVE-2024-24974
Impact
In OpenVPN GUI on Windows the OpenVPN2 processes run with least required privileges. But for some actions higher level privileges are necessary, for example for adding routes to the system. For those specific actions the OpenVPN2 process can use the interactive service component which runs at a higher privilege level for this purpose.
If your OpenVPN2 process is compromised, for example by loading a malicious plugin, then it is possible to exploit a vulnerability in the interactive service component to have it perform tasks at its higher privilege level. So this is a privilege escalation issue.
Furthermore the service pipe for the interactive service is reachable over the network, while it does not need to be. If you have valid credentials for a user that is part of the OpenVPN Administrator group, you could access the interactive service, and then exploit the same aforementioned privilege escalation vulnerability.
Exploitability
You could replace the OpenVPN2 binary that comes with OpenVPN GUI with one that performs a malicious attack on the interactive service component. Replacing this binary requires administrator level access. If you run such a binary from another location it will not have access to the interactive service component.
Alternatively you could load a malicious plugin for OpenVPN2 which then does this attack to the interactive service. But you need help from an OpenVPN Administrator to load such a plugin to then exploit the interactive service.
For an over-the-network attack you would need to have valid credentials of a user that is a member of OpenVPN Administrators group.
In short, you would need to have an already significant amount of access to the target system in order to exploit these vulnerabilities. Enough access that you would likely not need to exploit these vulnerabilities.
Resolution
CVE-2024-27903 improves the security of plugin loading on Windows by making it so that plugins can only be loaded from certain trusted locations. So not only do you need the connection profile to be in a trusted location, but the plugin you’re loading must also be in a trusted location. Only OpenVPN Administrator can add to these trusted locations.
CVE-2024-24974 disallows remote access to the service pipe for the interactive service component of OpenVPN GUI for Windows. This solves the remote access vulnerability.
CVE-2024-27459 solves the actual privilege escalation in the interactive service component, so neither methods above can lead to privilege escalation.
If you are on Windows and using OpenVPN GUI, then please update so you get the latest version (2.6.10 or 2.5.10) that includes the fixes for these issues.