Skip to content

Microsoft finds 4 bugs in OpenVPN that can cause RCE attacks

  • by
  • 2 min read

Four medium-severity bugs in OpenVPN can be chained together to allow an attacker to carry out remote code execution (RCE) and local privilege escalation (LPE) attacks. If exploited, these attacks can allow hackers to gain full control of targeted endpoints, resulting in data breaches, system compromises, and unauthorised access to sensitive data.

Microsoft researchers announced the bugs during the Black Hat USA 2024 conference. According to the researchers, the zero-day vulnerabilities affect “thousands of companies on major platforms like Windows, iOS, macOS, Android, and BSD.”

More specifically, the following four vulnerabilities were found affecting all versions of OpenVPN before 2.6.10 and 2.5.10:

  • CVE-2024-1305: This vulnerability in the Windows TAP driver can cause a denial of service attack on Windows machines.
  • CVE-2024-27459: The bug lies in the openvpnserv component of OpenVPN and can cause denial of service and local privilege escalation attacks on Windows machines.
  • CVE-2024-27903: Another bug in the openvpnserv component, this vulnerability allows for remote code execution attacks on Windows and local privilege escalation and data manipulation attacks on Android, iOS, macOS, and BSD systems.
  • CVE-2024-27974: This is also an issue in the openvpnserv component that can cause unauthorised access to Windows devices.

At the moment, millions of OpenVPN endpoints around the world are vulnerable. The vulnerabilities require a user’s credentials, but they can be obtained using an info stealer by capturing NTLMv2 hashes from network traffic or simply by purchasing them from the dark web.

Another factor that can make these vulnerabilities difficult to exploit is that the attacker needs to have a deep understanding of how OpenVPN functions under the hood. Given that OpenVPN is open-source and the most popular VPN used across the globe, the disclosure has kicked off a race between developers and potential attackers to patch the vulnerabilities before any attacks take place.

In the News: UN adopts controversial convention against cybercrime

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>